Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 531434

Summary: CSRF vulnerability in tuleap.eclipse.org that can be used to takeover accounts
Product: Community Reporter: itle kedi <itlekedi>
Component: Vulnerability ReportsAssignee: Security vulnerabilitied reported against Eclipse projects <vulnerability.reports-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: chris.guindon, gael.blondelle, itlekedi, manuel.vacelet, thomas.gerbet, wayne.beaton
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows 10   
Whiteboard:
Attachments:
Description Flags
Use this to test none

Description itle kedi CLA 2018-02-20 17:28:47 EST 
Created attachment 272775 [details]
Use this to test

Hi,

I have found a CSRF vulnerability in tuleap.eclipse.org 's account settings page. There is no any control where the request comes from when changing email address. By abusing this flaw, an attacker can trigger a request to make the victim to change email address to attacker's own address. Actually I am not sure but there is a parameter (named challenge) that may be used as a CSRF token but even if it is empty, request isstill valid. And notice that userid parameter is ignored when choosing the user which address will be changed.

By making victim to make his mail address, an attacker can make a reset password request with that mail and then login as victim.

Steps to reproduce;

login to an account,

use attached html file to change any account's mail address to comecheckitout1337999@yopmail.com .
you can observe the delivered mail using yopmail.com and the relevant mail address. 

Ps: do not use your own account to reproduce the behaviour, Consider yopmail emails can be accessible by anyone. So only use a test account.

Fix: Use a CSRF token
you can use this guide to implement a secure CSRF token
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet


kind regards
Monochrome
Comment 1 Wayne Beaton CLA 2018-02-21 10:58:46 EST 
Gael, how do we get the Tuleap instance keepers engaged here?
Comment 2 Gael Blondelle CLA 2018-02-23 08:10:39 EST 
I can reach out to their CTO. 
Should I add him in CC so that he get noticed about this issue? 

What is the process?

Cheers,
Comment 3 Wayne Beaton CLA 2018-02-26 16:23:59 EST 
(In reply to Gael Blondelle from comment #2)
> What is the process?

I don't have an answer. This falls outside of my scope of influence. The working groups that use the Tuleap instance own the process.
Comment 4 itle kedi CLA 2018-02-28 18:02:06 EST 
Do you need any further information from me? 
How we are going to proceed?


Here is a POC video about how an attacker can exploit this to takeover accounts.

https://vimeo.com/257985434

password: oslnq46ube.13142

May I fully disclose the video? after all, anyone can access this report, so does the video.

Best wishes
Comment 5 Manuel Vacelet CLA 2018-03-01 04:15:02 EST 
Hi,

Thanks for reporting this to us, we are investigating the issue.
We would be very thankful if you could hold the disclosure until we made our analysis so we can provide guidance (I will update this ticket later today about that).

Please note that, ideally, security issues related to Tuleap should be reported via https://www.tuleap.org/security so our security team can be notified ASAP (I didn't had notice about this issue until today).

Manuel
Comment 6 Manuel Vacelet CLA 2018-03-01 07:54:11 EST 
The problem is confirmed on our end and a patch is under review to address it.
We logged the issue at https://tuleap.net/plugins/tracker/?aid=11217 but it's currently private until the fix land in installable version of Tuleap.

We didn't request a CVE ourselves but feel free to do it if you want to.
We can also grant you the discovery of the issue if you want, just tell us who we should credit.

The new version of Tuleap (9.18) was targeted to be released today. Despite this late bug we should be on schedule and release with a fix later today. I'll update the ticket once done and tuleap.eclipse.org updated as well.

We will appreciate if you could hold the disclosure until monday to let people upgrade and be safe.
Comment 7 itle kedi CLA 2018-03-01 08:34:10 EST 
Hi,

Thanks for the information. I am sorry for the inconvenience, I thought it's an eclipse foundation application since I saw the subdomain tuleap.eclipse.com and not aware of tuleap before. That was a vulgar idea obviously. :(

I don't have a hurry about disclose, so no problem. You can credit my twitter account twitter.com/@mustafaran . I will request for CVE. 

Since bug is not related directly eclipse, and should be private till the fix, we can communicate over https://tuleap.net/plugins/tracker/?aid=11217, if you can include/invite me (tuleap.net login name : monochrome) for the fix confirmation.

Then we can close the issue here.

Best wishes
Comment 8 Thomas Gerbet CLA 2018-03-01 09:54:35 EST 
Hello,

A fix for the issue is now available starting version 9.17.99.230.
You can find the corresponding commit here: https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=commitdiff&h=d6701289ae55de900929ff0f66313fa9771a198d

We are now working on releasing Tuleap 9.18.

itle kedi: You have been granted access to the ticket on Tuleap.net (https://tuleap.net/plugins/tracker/?aid=11217) if you want to continue the conversation there.
Comment 9 Christopher Guindon CLA 2018-03-01 10:01:27 EST 
(In reply to itle kedi from comment #7)

> Since bug is not related directly eclipse, and should be private till the
> fix, we can communicate over https://tuleap.net/plugins/tracker/?aid=11217,
> if you can include/invite me (tuleap.net login name : monochrome) for the
> fix confirmation.
> 
> Then we can close the issue here.

We will keep this bug open until we can confirm that the instances hosted on eclipse.org have been patched.
Comment 10 Manuel Vacelet CLA 2018-03-02 03:37:32 EST 
tuleap.eclipse.org is now up to date with 9.18.

Thanks again for the report. It will be great to keep it restricted until monday.
Comment 11 Manuel Vacelet CLA 2018-03-02 05:35:11 EST 
The CVE was disclosed yesterday instead of next monday as originally agreed: https://nvd.nist.gov/vuln/detail/CVE-2018-7634

It means that the eclipse server was exposed to a public vuln until upgrade of this morning at ~09:10 CET. However I didn't find any evidence of attempt to exploit it from the logs.
Comment 12 itle kedi CLA 2018-03-02 08:26:59 EST 
I didn't request for public disclosure for the CVE. My intention was to keep it private until Enalean team approves to public disclosure. I think they published upon Enalean team's request or  upon the  release of the fix code, I don't know. Besides, I will keep POC video and technical details private untill monday as we agreed, Also I will change video password.

Best Wishes.
Comment 13 Thomas Gerbet CLA 2018-03-05 12:19:13 EST 
Hello,

As originally expected, this security bug is now public on our side: https://tuleap.net/plugins/tracker/?aid=11217
Comment 14 Wayne Beaton CLA 2018-03-05 12:32:04 EST 
I've removed the committers-only flag. I've also removed the "security" keyword since this isn't an Eclipse software related issue and so should not be reported as such.