From metatracker at psf.upfronthosting.co.za Tue Jul 9 11:46:17 2013 From: metatracker at psf.upfronthosting.co.za (anatoly techtonik) Date: Tue, 09 Jul 2013 09:46:17 +0000 Subject: [Tracker-discuss] [issue518] Plaintext connections when logging in In-Reply-To: <1372445002.61.0.716152136804.issue518@psf.upfronthosting.co.za> Message-ID: anatoly techtonik added the comment: https does help those with security knowledge to login safely. ---------- nosy: +techtonik _______________________________________________________ PSF Meta Tracker _______________________________________________________ From techtonik at gmail.com Tue Jul 9 11:45:53 2013 From: techtonik at gmail.com (anatoly techtonik) Date: Tue, 9 Jul 2013 12:45:53 +0300 Subject: [Tracker-discuss] [issue518] Plaintext connections when logging in In-Reply-To: <1372445002.61.0.716152136804.issue518@psf.upfronthosting.co.za> References: <1372403857.35.0.242184511597.issue518@psf.upfronthosting.co.za> <1372445002.61.0.716152136804.issue518@psf.upfronthosting.co.za> Message-ID: https does help those with security knowledge to login safely. -------------- next part -------------- An HTML attachment was scrubbed... URL: From metatracker at psf.upfronthosting.co.za Sun Jul 14 22:08:58 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 20:08:58 +0000 Subject: [Tracker-discuss] [issue519] XSS issues Message-ID: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> New submission from Thibault Fevry: Last issue about an XSS was a lot of months ago. It seems there are still XSS issues. Click attached link. http://bugs.python.org/user?@startwith=50&@pagesize=50&@sort=%3C/p%3E%3Cscript%20type=%22text/javascript%22%3Ealert%28%22XSS%22%29%3C/script%3E For reference : https://en.wikipedia.org/wiki/Cross-site_scripting ---------- messages: 2740 nosy: iwontbecreative priority: urgent status: unread title: XSS issues _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sun Jul 14 22:34:59 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 20:34:59 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373834099.06.0.288105504845.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: Things like this also display no error, which is scary : http://bugs.python.org/user?@sort=password If we can sort by password name, we might be able to recover a password by creating multiple accounts with different passwords until we 'circle' another user's password. ---------- status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sun Jul 14 23:23:23 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 21:23:23 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373837003.65.0.644924431639.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: Further inspection from last message shows that it might be harmfull. Sorting by password we get login = nobody password = (empty) Which works and allows to change things, like that user's password. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sun Jul 14 23:38:12 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 21:38:12 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373837892.94.0.318676764682.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: Last issue allows to add or remove keywords for the whole bug tracker. See http://bugs.python.org/keyword for the issue. ---------- status: chatting -> unread _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 00:06:21 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 22:06:21 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373839581.31.0.687383209409.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: XSS issues with other paramaters exist : - http://bugs.python.org/issue?@sort=-activity&@search_text=&@columns=id,activity,title,status&@dispname=Created%20by%20you&@startwith=0&@group=%3Cscript%3Ealert('XSS')%3C/script%3E&creator=18132&@filter=creator&@pagesize=50&status=1,3 ---------- status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 00:58:17 2013 From: metatracker at psf.upfronthosting.co.za (R David Murray) Date: Sun, 14 Jul 2013 22:58:17 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373842697.01.0.501990216923.issue519@psf.upfronthosting.co.za> R David Murray added the comment: If I understand you correctly, the only issue here is the XSS. The other things are simply things a logged in user with appropriate privileges can normally access? I believe this issue should be reported upstream in the roundup tracker. ---------- nosy: +r.david.murray _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 01:12:03 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 23:12:03 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373843523.51.0.933703532259.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: @David The XSS is the main, most visible issue. The other issue is http://bugs.python.org/user?@sort=password works sorts users by their password (as can be seen by nobody having an empty password). This means I know that viznut's password < moshez's password. This means that if you create a user with password 'ai' and it is after viznut you know that his his password is 'a[a-h]'. This looks very tiring, but I don't see any reason why given enough time (this can probably be automated) and enough accounts created, you shouldn't get his password [*]. It is bad policy to have a false account (I guess 'nobody' is a generic account for developpers) with no password and more privileges than any normal users, including things that could go bad (Such as a user removing all the tags). [*] Except if passwords are properly hashed and salted, then it would be near impossible. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 01:19:37 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Sun, 14 Jul 2013 23:19:37 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373843977.75.0.517219967467.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: Actually, the script to find a passwork wouldn't be too hard to do since you can just chang your password instead of creating new accounts. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 10:02:53 2013 From: metatracker at psf.upfronthosting.co.za (Marc-Andre Lemburg) Date: Mon, 15 Jul 2013 08:02:53 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373875373.3.0.00987847870232.issue519@psf.upfronthosting.co.za> Marc-Andre Lemburg added the comment: Could you open a second ticket for the password sorting issue ? ---------- nosy: +lemburg priority: urgent -> critical _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 10:11:19 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Mon, 15 Jul 2013 08:11:19 +0000 Subject: [Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords. Message-ID: <1373875879.39.0.927817496038.issue520@psf.upfronthosting.co.za> New submission from Thibault Fevry: As explained in issue 519, one can sort usernames using the password key : http://bugs.python.org/user?@sort=password This allows for a user to modify his password and see where he stands until he guesses another password. This being easy to script seeing how easy it is to change a password, the issue must be fixed. ---------- messages: 2749 nosy: iwontbecreative, lemburg priority: critical status: unread title: Security : password sorting issue that might allow to recover passwords. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 15 10:12:21 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Mon, 15 Jul 2013 08:12:21 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1373875941.92.0.407528529703.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: Done, see issue 520 http://psf.upfronthosting.co.za/roundup/meta/issue520 . (I took the liberty to add you to the nosy list, hope that is ok). _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Jul 19 14:32:56 2013 From: metatracker at psf.upfronthosting.co.za (=?utf-8?q?Martin_v=2E_L=C3=B6wis?=) Date: Fri, 19 Jul 2013 12:32:56 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1374237176.16.0.728113277073.issue519@psf.upfronthosting.co.za> Martin v. L?wis added the comment: iwontbecreative: your conclusion is incorrect. The database doesn't store plain text passwords, but hashes, so it sorts on hash. With that, it is not possible to recover a user's password. ---------- nosy: +loewis _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Jul 19 14:33:47 2013 From: metatracker at psf.upfronthosting.co.za (=?utf-8?q?Martin_v=2E_L=C3=B6wis?=) Date: Fri, 19 Jul 2013 12:33:47 +0000 Subject: [Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords. In-Reply-To: <1373875879.39.0.927817496038.issue520@psf.upfronthosting.co.za> Message-ID: <1374237227.76.0.0343701274613.issue520@psf.upfronthosting.co.za> Martin v. L?wis added the comment: iwontbecreative: your conclusion is incorrect. The database doesn't store plain text passwords, but hashes, so it sorts on hash. With that, it is not possible to recover a user's password. ---------- nosy: +loewis status: unread -> resolved _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Jul 19 16:32:44 2013 From: metatracker at psf.upfronthosting.co.za (Marc-Andre Lemburg) Date: Fri, 19 Jul 2013 14:32:44 +0000 Subject: [Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords. In-Reply-To: <1373875879.39.0.927817496038.issue520@psf.upfronthosting.co.za> Message-ID: <1374244364.68.0.0697178179359.issue520@psf.upfronthosting.co.za> Marc-Andre Lemburg added the comment: Why does the Roundup interface allow sorting on passwords (or password hashes) ? _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Jul 19 17:25:25 2013 From: metatracker at psf.upfronthosting.co.za (R David Murray) Date: Fri, 19 Jul 2013 15:25:25 +0000 Subject: [Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords. In-Reply-To: <1373875879.39.0.927817496038.issue520@psf.upfronthosting.co.za> Message-ID: <1374247525.25.0.232749584015.issue520@psf.upfronthosting.co.za> R David Murray added the comment: Because sorting is a generic interface. You'd have to add special code to deny sorting by password. But as Martin says, it's not a security issue. ---------- nosy: +r.david.murray _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sat Jul 20 01:44:20 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Fri, 19 Jul 2013 23:44:20 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1374277460.66.0.364025764574.issue519@psf.upfronthosting.co.za> Thibault Fevry added the comment: I discuss that in the other bug report, since it is related to the other issue. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sat Jul 20 01:48:44 2013 From: metatracker at psf.upfronthosting.co.za (Thibault Fevry) Date: Fri, 19 Jul 2013 23:48:44 +0000 Subject: [Tracker-discuss] [issue520] Security : password sorting issue that might allow to recover passwords. In-Reply-To: <1373875879.39.0.927817496038.issue520@psf.upfronthosting.co.za> Message-ID: <1374277724.63.0.0175018657876.issue520@psf.upfronthosting.co.za> Thibault Fevry added the comment: Still, I believe letting people know password hashes is not very good practice, since every known website when they have have a security issue and have a risk that their database passwords hashes stolen ask their users to reset them. Sure it makes it *hard* and perhaps impossible given your hash/salt combination but it could not remain like that forever (md5 was once considered quite secure). _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Mon Jul 22 16:09:34 2013 From: metatracker at psf.upfronthosting.co.za (Sam Denton) Date: Mon, 22 Jul 2013 14:09:34 +0000 Subject: [Tracker-discuss] [issue521] Unable to reset password, not receiving the reset email Message-ID: <1374502174.74.0.792358308033.issue521@psf.upfronthosting.co.za> New submission from Sam Denton: Three days ago, after a few months hiatus, I tried to log into bugs.python.org, and was told that my password was invalid. I went to the password reset request page and entered my email address; I got back the message "Email sent to samwyse at gmail.com". Nothing has yet appeared in my inbox. This morning, I again went to the password reset request page and entered userid; I got the same message. After an hour, I still havent seen a response. I've double checked all my spam filters and such, without success. Is there some problem? ---------- messages: 2757 nosy: samwyse priority: urgent status: unread title: Unable to reset password, not receiving the reset email _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Tue Jul 23 04:44:49 2013 From: metatracker at psf.upfronthosting.co.za (R David Murray) Date: Tue, 23 Jul 2013 02:44:49 +0000 Subject: [Tracker-discuss] [issue521] Unable to reset password, not receiving the reset email In-Reply-To: <1374502174.74.0.792358308033.issue521@psf.upfronthosting.co.za> Message-ID: <1374547489.53.0.138390454653.issue521@psf.upfronthosting.co.za> R David Murray added the comment: Here are the log records for emails sent to your address since July 21st at 06:25 CEST: Jul 22 13:57:02 psf postfix/smtp[29578]: 8ED9A56A35: to=, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1a]:25, delay=0.67, delays=0.01/0/0.06/0.6, dsn=2.0.0, status=sent (250 2.0.0 OK 1374494222 s4si17141009wif.29 - gsmtp) Jul 22 15:23:55 psf postfix/smtp[3852]: 9413D56A78: to=, relay=gmail-smtp-in.l.google.com[173.194.66.26]:25, delay=1.2, delays=0.3/0.01/0.54/0.38, dsn=2.0.0, status=sent (250 2.0.0 OK 1374499435 i3si17291648wix.25 - gsmtp) Jul 22 16:04:58 psf postfix/smtp[16106]: 54EC656A24: to=, relay=gmail-smtp-in.l.google.com[173.194.66.26]:25, delay=0.92, delays=0.01/0/0.71/0.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1374501898 x20si11016301wie.25 - gsmtp) Jul 22 16:09:35 psf postfix/smtp[17472]: BFB5656A5C: to=, relay=gmail-smtp-in.l.google.com[173.194.66.27]:25, delay=0.5, delays=0/0/0.3/0.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1374502175 u7si11011845wiv.73 - gsmtp) Jul 22 18:54:45 psf postfix/smtp[416]: 29E8F56A7B: to=, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=0.27, delays=0/0/0.06/0.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1374512085 g10si11333453wjb.97 - gsmtp) Jul 22 18:56:05 psf postfix/smtp[414]: BA96556A7B: to=, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1b]:25, delay=0.29, delays=0/0/0.06/0.22, dsn=2.0.0, status=sent (250 2.0.0 OK 1374512165 t5si80573wia.3 - gsmtp) There is no way for me to tell if these are messages sent as a result of tracker entries on which you are nosy, or the password reset emails. Perhaps you can correlate the times and figure that out. As far as I know everything is working. ---------- nosy: +r.david.murray status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Tue Jul 23 20:07:44 2013 From: metatracker at psf.upfronthosting.co.za (Ezio Melotti) Date: Tue, 23 Jul 2013 18:07:44 +0000 Subject: [Tracker-discuss] [issue521] Unable to reset password, not receiving the reset email In-Reply-To: <1374502174.74.0.792358308033.issue521@psf.upfronthosting.co.za> Message-ID: <1374602864.03.0.883909350083.issue521@psf.upfronthosting.co.za> Ezio Melotti added the comment: Have you checked the spam folder? Sometimes mails from the tracker end up there. ---------- nosy: +ezio.melotti _______________________________________________________ PSF Meta Tracker _______________________________________________________