Open Stack

Hi everyone, sorry, I did not see that there were people CC'd on the
original email.

Following on to what I emailed in response to Kurt (included after this
email), here is the response I got when I submitted information about the
similar Ruby on Rails vulnerability to the Vulnerability Analysis Team at
the CERT(R) Coordination Center:

We appreciate you reporting this issue to us. We are tracking this issue as
VU#160862. Please be sure to include VU#160862 in the
subject when replying to this email.

Since you have already made this vulnerability public, we do not feel that
coordination is necessary at this point.
We encourage you to work directly with the Ruby on Rails security team to
resolve this issue.


Hope this helps. Again, do not hesitate to reach out for any information
you might need for the Django or Rails vulnerabilities.

Thanks!

G. S. McNamara


On Thu, Oct 3, 2013 at 9:14 PM, G. S. McNamara <main at gsmcnamara.com> wrote:

> Hi Kurt,
>
> If you could assign a CVE that would be great.
>
> I did not attempt to with this disclosure because my previous disclosure
> of a similar issue with the Ruby on Rails framework detailed here (
> http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/)
> was rejected on account of me publishing the information publicly.
>
> I'd love to provide you whatever information you need for the CVE.
>
>
> Thanks!
>
> G. S. McNamara
>
> Founder & Head Hustler | Inc.less, An Ideas Company | +1 (202) 507-9703 |
> Washington, D.C. | Linkedin <http://www.linkedin.com/in/GSMcNamara> |
> Twitter <https://twitter.com/GSMcNamara>
>
>
> On Thu, Oct 3, 2013 at 9:11 PM, Kurt Seifried <kseifried at redhat.com>wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/02/2013 03:09 AM, Jeffrey Walton wrote:
>> > Not sure if this made anyone's radar....
>> >
>> > (I'm not sure about the 1.7 version, though).
>> >
>> > ---------- Forwarded message ---------- From: G. S. McNamara
>> > <main at gsmcnamara.com> Date: Tue, Oct 1, 2013 at 4:20 PM Subject:
>> > [Full-disclosure] [Django] Cookie-based session storage session
>> > invalidation issue To: full-disclosure at lists.grok.org.uk
>> >
>> > FD,
>> >
>> > I’m back!
>> >
>> > Django versions 1.4 – 1.7 offer a cookie-based session storage
>> > option (not the default this time) that is afflicted by the same
>> > issue I posted about previously concerning Ruby on Rails:
>> >
>> > If you obtain a user’s cookie, even if they log out, you can still
>> > log in as them.
>> >
>> > The short write-up is here, if needed:
>> >
>> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
>> >
>> >  Cheers,
>> >
>> > G. S. McNamara
>>
>> Sounds like this needs a CVE? Has one been requested from Mitre? If
>> not I can assign it.
>>
>> https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
>>
>> - --
>> Kurt Seifried Red Hat Security Response Team (SRT)
>> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.14 (GNU/Linux)
>>
>> iQIcBAEBAgAGBQJSThXbAAoJEBYNRVNeJnmTeGMQAI4jnGSqKxP0vC1nPj4WAYyl
>> leYsGVX/SmZ1LX7s0KNbmbuN9ERcA5zT7ua7J0osMuPnhkODb7z/dhWuYnZARDIn
>> nVEaLJyBa6Bu7rcsasgFmuHk4BvXwnEY0ngH/i3Dz/jIxrP3atSr8uaQW8fdVtP1
>> FkVKx+NDaqEuHjJTpy8snO0UYPj9ZE/gS2Hs9ydyIRyeMGrSspdsnrzI7bxaMejq
>> pMcu41fH7kZZ3tseUyhc+oBzOzHDlWHYVuJJL/DCuk64RMOPGrp7zyLBoDF3U3gm
>> u5C85OoIpTCl5XuOE2LLO2kotfCnP2PfUdMm+KdzS9tpTkMtOc6KJFjn6MeohYKN
>> /TxT+m1rQqEmipxMbFgXc6pulZSEUWEnhy599960aoSmKUPN1Ss9sXK4ARwkfaeA
>> 04L5JLcwocc3g0uHhNayx29ilF3Jsj97SBHUEiaqoe4dBTKumFdv14b61nAJknYd
>> PA3pCq9/3j1R5r+kDK9lffPjeycL/gaqHoXTH3sTdwExFeuBTPXC0kEeqH/GngWD
>> U60cSGkr+LVH2z2AF5qRyEjGPOR0QFuE4zo072L+5fFavftgMvLvukkAXTTz/V6C
>> 9ljGyTJ+nA02NKKylAAP7hLksRuKgyQIx/dKK2Btqlb0ZlU/C1igmoyL3JVocIMt
>> 7EuS8NbgPBnQnSYuQ14I
>> =whZK
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131003/f6708b01/attachment.html>