Security - Vulnerability in javascript library jquery-ui-dialog 1.8.14 & jquery 1.7.2

[qladriere]

Dears,

After executing a security test, some vulnerabilities have been found due to outdated javascript libraries. I don't know the usage of these libraries so I would like to know if you plan to update them (or if it can be planned) ?

Here are the details :

1) File www/include/common/javascript/jquery/jquery-ui.js includes a vulnerable version of the library "jquery-ui-dialog"

The library jquery-ui-dialog version 1.8.14 has known security issues. For more information, visit those websites: https://github.com/jquery/api.jqueryui.com/issues/281 https://snyk.io/vuln/npm:jquery-ui:20160721 Affected versions The vulnerability is affecting all versions prior 1.12.0 (between * and 1.12.0) Other considerations The vulnerability might be affecting a feature of the library that the website is not using.

The library name and its version are identified based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply. 2) File www/include/common/javascript/jquery/jquery.min.js includes a vulnerable version of the library "jquery"

The library jquery version 1.7.2 has known security issues. For more information, visit those websites: https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jq...1-12-released/ Affected versions The vulnerability is affecting all versions prior 1.12.0 (between 1.4.0 and 1.12.0) Other considerations The vulnerability might be affecting a feature of the library that the website is not using.

The library name and its version are identified based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply.

[lpinsivy]

@qladriere do you find other issue? can you send me the result by email?

[qladriere]

Dear,

There are some other issues.

1) Cross-site request forgery (found in include/home/customViews/action.php) :

The most effective way to protect against CSRF vulnerabilities is to include within relevant requests an additional token that is not transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain sufficient entropy, and be generated using a cryptographic random number generator, such that it is not feasible for an attacker to determine or predict the value of any token that was issued to another user. The token should be associated with the user's session, and the application should validate that the correct token is received before performing any action resulting from the request. An alternative approach, which may be easier to implement, is to validate that Host and Referer headers in relevant requests are both present and contain the same domain name. However, this approach is somewhat less robust: historically, quirks in browsers and plugins have often enabled attackers to forge cross-domain requests that manipulate these headers to bypass such defenses.

2) Password field with autocomplete enabled (found in index.php) :

To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields). Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance.

3) The other remaining issues found till now should be covered in the following pull request : https://github.com/centreon/centreon/pull/6049

I see that changes should come in the release 2.8.20. Do you have an idea when it will be available (and, btw, solved) ?

Good afternoon.

Best regards,

Ladrière Quentin

2018-02-12 10:51 GMT+01:00 Laurent Pinsivy notifications@github.com:

@qladriere https://github.com/qladriere do you find other issue? can you send me the result by email?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/centreon/centreon/issues/6055#issuecomment-364874027, or mute the thread https://github.com/notifications/unsubscribe-auth/Acv9TJRcpJcFSVgp_iXukA3AVxuO3jOpks5tUAmRgaJpZM4R_-UC .

[lpinsivy]

Hi,

We release a bugfix version after each sprint of 3 weeks + QA time to validate development.

The sprint for 2.8.19 version will finish this friday.

So we will start development for 2.8.20 in 1 week.

[qladriere]

Hello,

Thanks for this info. So I guess that it should be done by end of March?

[lpinsivy]

I hope too ;)

[qladriere]

Hello, In this version (2.8.20), do you plan also to solve other issues like "cross site request forgery", "password field",...?

[qladriere]

Hello, Can you please let me know about the status concerning this issue? Is it solved in the new version (I see it's still in "Todo Dev in 2.8.20")? Also, what about the other findings ("cross site request forgery",...) ?

[qladriere]

Hello, Still no news... I see that you removed this issue from 2.8.20 but not planned for another version. Can you please let me know if you plan to solve these sec issues? If yes, do you already know when?