This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 523277 - (CVE-2008-7220) CVE-2008-7220 WordPress, MediaTomb, python-webhelpers, Asterisk, Plone -- embedded Prototype JavaScript FrameWork: XSS Ajax requests (AST-2009-009)
CVE-2008-7220 WordPress, MediaTomb, python-webhelpers, Asterisk, Plone -- emb...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://github.com/sstephenson/prototy...
impact=moderate,reported=20090913,pub...
: Security
Depends On:
Blocks: 712427
  Show dependency treegraph
 
Reported: 2009-09-14 13:37 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:40 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Upstream patch from git (4.00 KB, patch)
2010-09-29 10:19 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-09-14 13:37:07 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7220 to
the following vulnerability:

Unspecified vulnerability in Prototype JavaScript framework
(prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax
requests" via unknown vectors.

References:
------------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
http://github.com/sstephenson/prototype/blob/master/CHANGELOG
http://osvdb.org/46312

Upstream patch:
---------------
git clone git://github.com/sstephenson/prototype.git
git show 02cc9992e915c024650ddc77a91064f7a4252914

The relevant file in WordPress source rpm package (F10) is:
------------------------------------------------------------
BUILD/wordpress/wp-includes/js/prototype.js
Comment 1 Jan Lieskovsky 2009-09-14 13:38:31 EDT
This issue affects the versions of the WordPress package, as shipped
with Fedora 10 and 11 (wordpress-2.8.4-1.fc10 and wordpress-2.8.4-1.fc11).

Please fix.
Comment 2 Jan Lieskovsky 2009-09-14 14:09:21 EDT
Prototype.js location in F10 MediaTomb (mediatomb-0.11.0-9.fc10) is in:

BUILD/mediatomb-0.11.0/web/js/prototype.js. Relevant rows:

   1120       var contentType = this.getHeader('Content-type');
   1121       if (contentType && contentType.strip().
   1122         match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
   1123           this.evalResponse();

See test/unit/ajax.html from above upstream commit for testcases.

This issue affects the versions of MediaTomb package, as shipped with
Fedora release of 10 and 11 (mediatomb-0.11.0-9.fc10 and mediatomb-0.11.0-9.fc11).

Please fix.
Comment 3 Jan Lieskovsky 2009-09-14 14:20:36 EDT
Prototype.js can be found in F10 python-webhelpers (python-webhelpers-0.3.4-2.fc10) under:

BUILD/WebHelpers-0.3.4/webhelpers/rails/javascripts/prototype.js 

Relevant lines:

   1120       var contentType = this.getHeader('Content-type');
   1121       if (contentType && contentType.strip().
   1122         match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
   1123           this.evalResponse();

See test/unit/ajax.html from above upstream commit for testcases.

This issue affects the version of python-webhelpers package, as shipped
with Fedora 10 and 11 (python-webhelpers-0.3.4-2.fc10 and python-webhelpers-0.6.4-3.fc11). 

Please fix.
Comment 4 Jan Lieskovsky 2009-09-14 14:39:30 EDT
This issue does NOT affect the python-Scriptaculous package, as shipped
with Fedora release of 10 and 11.

Latest Fedora 10 and Fedora 11 packages (python-Scriptaculous-1.8.2-2.fc10 and python-Scriptaculous-1.8.2-2.fc11) already contain updated -- 1.6.0.3 version
of Prototype JavaScript framework.
Comment 6 Jan Lieskovsky 2009-09-14 14:52:19 EDT
prototype.js location in F10 Asterisk (asterisk-1.6.0.15-2.fc10) is in:

BUILD/asterisk-1.6.0.15/static-http/prototype.js. Relevant lines:

 721       if ((this.header('Content-type') || '').match(/^text\/javascript/i))
 722         this.evalResponse();
 723     }

See test/unit/ajax.html from above upstream commit for testcases.

This issue affects the versions of Asterisk package, as shipped
with Fedora 10 and 11 (asterisk-1.6.0.15-2.fc10 and asterisk-1.6.1.6-1.fc11).

Please fix.
Comment 7 Jan Lieskovsky 2009-09-14 15:05:53 EDT
Location of prototype.js in EPEL-5 Plone (plone-3.1.6-1.el5) is in:

BUILD/Plone-3.1.6/lib/python/kss/core/plugins/effects/3rd_party/prototype.js.

Relevant lines:

  844     if (state == 'Complete') {
  845       if ((this.getHeader('Content-type') || '').strip().
  846         match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
  847           this.evalResponse();

See test/unit/ajax.html from above upstream commit for testcases.

Please fix.
Comment 8 Jeffrey C. Ollie 2009-09-14 15:20:11 EDT
Has this issue been reported upstream to any of these projects?
Comment 9 Jeffrey C. Ollie 2009-10-27 14:21:09 EDT
I have reported the vulnerability in Asterisk upstream:

https://issues.asterisk.org/view.php?id=16139
Comment 10 Jan Lieskovsky 2009-11-05 05:40:20 EST
Hi Jeffrey,

  sorry, missed your question. Asterisk upstream has now addressed
the issue in AST-2009-009:

http://downloads.asterisk.org/pub/security/AST-2009-009.html

Could you schedule F* Asterisk updates (together with AST-2009-008
-- BZ #533137)?

Thanks, Jan.
Comment 11 Fedora Update System 2009-11-05 10:11:41 EST
asterisk-1.6.0.17-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/asterisk-1.6.0.17-2.fc10
Comment 12 Fedora Update System 2009-11-05 10:13:15 EST
asterisk-1.6.1.9-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/asterisk-1.6.1.9-1.fc11
Comment 13 Jeffrey C. Ollie 2009-11-05 10:30:51 EST
F-12

https://fedorahosted.org/rel-eng/ticket/3116
Comment 14 Fedora Update System 2009-11-24 02:31:09 EST
asterisk-1.6.1.9-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-11-24 02:43:37 EST
asterisk-1.6.0.17-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Josh Bressers 2010-09-29 10:19:37 EDT
Created attachment 450485 [details]
Upstream patch from git
Comment 17 Tomas Hoger 2013-01-24 14:20:40 EST
(In reply to comment #16)
> Upstream patch from git

https://github.com/sstephenson/prototype/commit/02cc9992e915c024650ddc77a91064f7a4252914

Note You need to log in before you can comment on or make changes to this bug.