Bug 238616 (CVE-2007-2381)

Summary: CVE-2007-2381: MochiKit javascript hijacking vulnerability
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: MochiKitAssignee: Konstantin Ryabitsev <icon>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 21:04:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2007-05-01 20:19:07 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381

"The MochiKit framework exchanges data using JavaScript Object Notation (JSON)
without an associated protection scheme, which allows remote attackers to obtain
the data via a web page that retrieves the data through a URL in the SRC
attribute of a SCRIPT element and captures the data using other JavaScript code,
aka "JavaScript Hijacking.""
Comment 1 Konstantin Ryabitsev 2007-05-01 20:39:15 UTC 
Contacted upstream.
Comment 2 Konstantin Ryabitsev 2007-05-01 21:04:16 UTC 
Upstream sez (http://groups.google.com/group/mochikit/t/e473d15b0e689054):

> Will there be a fix for http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381
> in the 1.3.1 branch?

Nope. It's not a real security issue, not with MochiKit anyway. The
recommended "fix" would mean supporting some junk that's not JSON
anymore. I've already caved and put said support on the trunk just so
people would shut up about the issue, but I'm certainly not going to
make a maintenance release to "fix" this non-issue.

Ensuring that your server only sends JSON when properly authenticated,
or otherwise sending only non-exploitable JSON (e.g. JSON with an
object envelope) is the only solution to this problem.

Only a very small subset of JSON, specifically [array, envelope, json]
is susceptible to this data leakage attack. Don't send that stuff on
the server-side, and there is no problem. Most people don't send array
envelope JSON anyhow. Either way, totally irrelevant to the
client-side. It's like saying that we should fix browsers so that they
can't be used to mount a SQL injection attack on a poorly written
service.

-bob