Security - Vulnerability in javascript library jquery-ui-dialog 1.8.14 & jquery 1.7.2 #6055
Comments
|
@qladriere do you find other issue? can you send me the result by email? |
|
Dear,
There are some other issues.
1) Cross-site request forgery (found in
include/home/customViews/action.php) :
The most effective way to protect against CSRF vulnerabilities is to
include within relevant requests an additional token that is not
transmitted in a cookie: for example, a parameter in a hidden form field.
This additional token should contain sufficient entropy, and be generated
using a cryptographic random number generator, such that it is not feasible
for an attacker to determine or predict the value of any token that was
issued to another user. The token should be associated with the user's
session, and the application should validate that the correct token is
received before performing any action resulting from the request.
An alternative approach, which may be easier to implement, is to validate
that Host and Referer headers in relevant requests are both present and
contain the same domain name. However, this approach is somewhat less
robust: historically, quirks in browsers and plugins have often enabled
attackers to forge cross-domain requests that manipulate these headers to
bypass such defenses.
2) Password field with autocomplete enabled (found in index.php) :
To prevent browsers from storing credentials entered into HTML forms,
include the attribute autocomplete="off" within the FORM tag (to protect
all form fields) or within the relevant INPUT tags (to protect specific
individual fields).
Please note that modern web browsers may ignore this directive. In spite of
this there is a chance that not disabling autocomplete may cause problems
obtaining PCI compliance.
3) The other remaining issues found till now should be covered in the
following pull request : centreon/centreon#6049
I see that changes should come in the release 2.8.20. Do you have an idea
when it will be available (and, btw, solved) ?
Good afternoon.
Best regards,
Ladrière Quentin
2018-02-12 10:51 GMT+01:00 Laurent Pinsivy <notifications@github.com>:
… @qladriere <https://github.com/qladriere> do you find other issue? can
you send me the result by email?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<centreon/centreon#6055 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Acv9TJRcpJcFSVgp_iXukA3AVxuO3jOpks5tUAmRgaJpZM4R_-UC>
.
|
|
Hi, We release a bugfix version after each sprint of 3 weeks + QA time to validate development. The sprint for 2.8.19 version will finish this friday. So we will start development for 2.8.20 in 1 week. |
|
Hello, Thanks for this info. So I guess that it should be done by end of March? |
|
I hope too ;) |
|
Hello, |
|
Hello, |
|
Hello, |
lpinsivy
added
the
status/in-backlog
Dears,
After executing a security test, some vulnerabilities have been found due to outdated javascript libraries. I don't know the usage of these libraries so I would like to know if you plan to update them (or if it can be planned) ?
Here are the details :
The library jquery-ui-dialog version 1.8.14 has known security issues.
For more information, visit those websites:
jquery/api.jqueryui.com#281
https://snyk.io/vuln/npm:jquery-ui:20160721
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between * and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using.
The library name and its version are identified based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.
2) File www/include/common/javascript/jquery/jquery.min.js includes a vulnerable version of the library "jquery"
The library jquery version 1.7.2 has known security issues.
For more information, visit those websites:
jquery/jquery#2432
http://blog.jquery.com/2016/01/08/jq...1-12-released/
Affected versions
The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0)
Other considerations
The vulnerability might be affecting a feature of the library that the website is not using.
The library name and its version are identified based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.
The text was updated successfully, but these errors were encountered: