[python-committers] [Infrastructure] [Pydotorg] XSS security issue

Brett Cannon brett at python.org
Mon Jul 15 15:40:45 CEST 2013 

On Mon, Jul 15, 2013 at 9:33 AM, Brett Cannon <brett at python.org> wrote:

>
>
>
> On Mon, Jul 15, 2013 at 8:08 AM, R. David Murray <rdmurray at bitdance.com>wrote:
>
>> On Mon, 15 Jul 2013 11:09:08 +0300, Michael Foord <
>> michael at voidspace.org.uk> wrote:
>> >
>> > On 15 Jul 2013, at 11:05, "M.-A. Lemburg" <mal at python.org> wrote:
>> >
>> > > Who would be the one to contact for issues like these ?
>> > >
>> > > The case is rather urgent, since the XSS can be used for stealing
>> > > session cookies on *.python.org.
>> > >
>> > > The sorting by password issue is a more obscure one. Just removing
>> > > the "feature" to sort by password should be enough to solve it.
>> >
>> > Technically it's an infrastructure issue (cc'd), but fixing the code of
>> roundup is hardly their domain.
>> >
>> > Ezio Melotti (cc'd) did a lot of work on the Python installation of
>> roundup, so he may have a better idea.
>> >
>> > We have a security mailing list but that is mainly intended for
>> security issues in the language:
>> >
>> >       security at python.org <security at python.org>
>>
>> The OP also emailed security (which I heard about via IRC, I'm not
>> on that list).
>>
>> Ezio is a Roundup developer, so he is indeed the best person to look
>> at the XSS issue, since it is a Roundup problem and not specific to
>> the Tracker.  I can take a look too but he is more knowledgeable
>> than I about roundup itself.
>>
>> There is another problem which is specific to our tracker and which is the
>> bigger issue right at the moment.  We have a 'nobody' user with a blank
>> password and Developer privileges.
>>
>> I'm about to go out, so I don't want to make a change that might break
>> something right this moment, but anyone with the Coordinator role
>> could take this on if they want to do it right now:  remove either the
>> Developer role, or both roles, from that user and see what happens.
>> I suspect that user should not exist at all, but I don't know for sure.
>>
>
> That user is owned by Donald Stufft (cc'ed). I actually can't log in as
> that user, though, so I think it might be a special user that you can't
> gain access to.
>


Donald's reply (since his email is in the committers review queue):
----------------------------------------

I can't comment on python-commuters so my message didn't get through there
(But did on Infrastructure).

My Message:

So I was able to log in to the "nobody" account without a password (Why is
this even possible?). It gave me powers to edit users and some other shit.
I added a password to the nobody account since these lists are publicly
available and if I can get into that user so can others.

I will make the password available to whoever is in charge, (Or they can
just change the password themselves I don't care).

--------

If you want to pass this through to python-comitters or something that's ok
with me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20130715/6b07efb8/attachment.html>

More information about the python-committers mailing list