Hi all,

I've just pushed out Mezzanine 4.2.1 which resolves the XSS issues
mentioned previously. Note that a filebrowser_safe upgrade is also required
for the latter of the two issues described below - that should occur
automatically though as the latest Mezzanine version specifies the new
version as a requirements in its setup.py script.

The release also contains a good handful of minor bugfixes as noted in the
changelog: http://mezzanine.jupo.org/docs/colophon.html#version-4-2-1-
sep-19-2016

Thanks to Tim Coen of curesec.com for privately reporting the issues, and
giving us time to communicate and mitigate them. If you have a production
Mezzanine site, once again I'd like to remind you to subscribe to the
private security mailing list (https://groups.google.com/
forum/#!forum/mezzanine-security) where you can be notified of issues like
these and how to mitigate them, ahead of them being publicly disclosed.

Here are the issues described in detail, as well as instructions for
patching if you're unable to upgrade:

The first issue is related to Mezzanine's threaded commenting - if you
don't use it, you're not affected, otherwise it should be treated as
critical, since it can be publicly exploited. For this to occur, an
administrator would need to access the list of comments inside the admin
interface, where XSS could be triggered. The problem is with this method of
the comment model solely for use in the admin, which is used to show a nice
avatar next to the commenter's username in the comment list view:
https://github.com/stephenmcd/mezzanine/blob/bede76b6f
96227350cb0bf0058f555daeb4cc2ad/mezzanine/generic/models.py#L67-L73 -
unfortunately the username isn't escaped, and the method's value is marked
as safe for no template escaping, since we use HTML tags in it. A malicious
commenter could therefor include HTML/JavaScript code inside their
username, and have it execute when viewing the list of comments in the
admin interface. The fix for this will be to simply escape the vars in that
method: https://github.com/stephenmcd/mezzanine/commit/
349edff5a22089bfed0baff0f7060d784b1046d2

To patch without upgrading, just remove the list field, using these lines
of code in your project's urls.py module:

from mezzanine.generic.admin import ThreadedCommentAdmin
ThreadedCommentAdmin.list_display = ThreadedCommentAdmin.list_display[1:]

The second issue can only be exploited by a malicious admin user, so it's
of much lower concern. The media library (filebrowser) in Mezzanine allows
for arbitrary file uploads of HTML or SVG files, which can both contain
JavaScript when accessed via a web browser. These are not subject to the
same "richtext" filtering that's applied to the WYSIWIG editor. To fix
this, we now apply the same filtering that's applied to the WYSIWYG editor,
to uploaded HTML or SVG files in the media library - that way if you have
trusted technical admin users, you can disable richtext filtering, and keep
the current behaviour: https://github.com/stephenmcd/filebrowser-safe/
commit/c3bb7ea8d7af67e4fd1279b3cf486f6148a29cb0

To patch without upgrading, simply define the setting in your project's
settings.py module that controls which file extensions can be uploaded:

FILEBROWSER_EXTENSIONS = {
    'Image': ['.jpg', '.jpeg', '.gif', '.png', '.tif', '.tiff'],
    'Code': ['.py', '.js', '.css']
}

We only need to define the "groups" we want to modify, namely Image/Code -
the values above are the defaults with HTML and SVG removed.

On Wed, Sep 7, 2016 at 10:01 AM, Stephen McDonald <st...@jupo.org> wrote:

> Hi all,
>
> We've had a couple of XSS issues privately reported. They've been
> verified, with fixes set to be released next week. You can also mitigate
> these issues without having to upgrade, using some small patches to your
> project.
>
> To learn more, please ensure you're subscribed to the security mailing
> list: https://groups.google.com/forum/#!forum/mezzanine-security
>
> Please be aware that the security list is only intended for those with
> public Mezzanine sites deployed, so on subscribing you'll need to provide
> details of site.
>
> --
> Stephen McDonald
> http://jupo.org
>



-- 
Stephen McDonald
http://jupo.org

-- 
You received this message because you are subscribed to the Google Groups 
"Mezzanine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to