#3022 Fedora Raffle includes javascript code (jquery) from google without using https
Closed: Fixed None Opened 9 years ago by till.

= phenomenon =

I visited https://admin.fedoraproject.org/raffle and noticed that Firefox does not show the connection to be properly SSL-protected.

= reason =
A traffic analysis with HTTPFox revealed that http://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js is the cause for this. Therefore an active man-in-the-middle attacker can modify the content of the javascript file and modify the displayed contents on the website to e.g. access the credentials or access the session cookie.

= recommendation =
* Host the jquery lib on a fedora server and access it via HTTPS from there
* Protect the session cookie by setting the flag HttpOnly (afaics it is not the case currently)
* While doing this, protect the session cookie using the "Secure" flag (it is not related to the reported security problem, but it is related to the cookie configuration)


I'll push change #1 ASAP -- have a change committed but I'll need to spin a new package and test.

Changes #3 I'll have a new release of python-fedora with that change. This will need some testing as there's a few other changes queued up there as well.

Change #2 I've modified the TG2 and Django auth modules in python-fedora to do this. TG1 will either require significant work or getting some feedback from upstream to adding it to our base TG-1.0. and TG-1.1 packages in Fedora and EPEL. Do you know what the effect of HttpOnly is? From my reading, it seems like it just prevents JavaScript on the client from reading the cookie information which seems fairly non-intrusive for a session cookie. Do you know if it goes beyond this? Does it prevent AJAX calls from sending the cookie to authenticate themselves, for instance?

TG upstream has accepted my suggestion and committed support for httponly in TG1. I'll backport that to the Fedora and EPEL packages -- probably tomorrow; it won't be deployed immediately but I'll get it in the works.

http://sourceforge.net/p/turbogears1/code/7389/tree/branches/1.1/turbogears/visit/api.py?diff=4d752eaab9363c1d270008b8:7388

Replying to [comment:1 toshio]:

Change #2 I've modified the TG2 and Django auth modules in python-fedora to do this. TG1 will either require significant work or getting some feedback from upstream to adding it to our base TG-1.0. and TG-1.1 packages in Fedora and EPEL. Do you know what the effect of HttpOnly is? From my reading, it seems like it just prevents JavaScript on the client from reading the cookie information which seems fairly non-intrusive for a session cookie. Do you know if it goes beyond this? Does it prevent AJAX calls from sending the cookie to authenticate themselves, for instance?

Afaik HttpOnly prevents accessing the cookie via document.cookie, but the browser still sends the cookie with all requests including AJAX calls.

Update:

  • Raffle package updated. This takes care of recommendation #1.
  • I've built updated TurboGears package for F15+ and EPEL6. This adds httponly support (but does not automatically turn it on) for session cookies in TG1 apps on those distros. This support only works with python-2.4+ so I haven't pushed it back to EL5. This also means we won't be able to enable this in our TG1 applications until we move the app servers to RHEL6.
  • Working on the python-fedora update is my next task. IIRC, the set of features committed are all supposed to work; they just need to be tested to verify that they work when packaged. I'll spin up a beta and try it out on the infrastructure staging servers in the next week.

Updating TurboGears -- Discussed with Kevin; we think we'll push forward on upgrading the app servers to RHEL6 -- simply leaving a single app server on RHEL5 to run fedora-community or other apps that have not ported to RHEL5. When we do that, we can change the config files for our TG1 apps to turn on httponly support. Timeline for this is likely to extend into January as we've already committed to migrating hosted to RHEL6. So app servers to RHEL6 is going to be scheduled after that.

python-fedora packages for testing are here: http://toshio.fedorapeople.org/python-fedora/

Likely, this change won't get pushed back to F14 but I built the packages in case someone needs to test them locally. I'm adding the packages to the infra-test repo to deploy to stg now.

All the raffle serving app servers are rhel6 now. We should be able to enable this...

The change will be to set:
{{{
visit.cookie.httponly = True
}}}

for our TG1 apps. The right place is probably the config/app.cfg file for each application. But it should work to simply set that in the /etc/*.cfg file for each application. I'll change the pkgdb configuration now as an example. Feel free to change the other TG1 apps so we can close this or I'll try to get back to those during the sprints.

PackageDB change is in puppet master git commit 96fd094304567441ff2dadb90e1f7c959613c818

Verified that the packagedb tg-visit cookie is now being returned with httponly set.

This seems to break reviewboard on hosted03. ;(

{{{
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] mod_wsgi (pid=12211): Exception occurred processing WSGI script '/srv/reviewboard/conf/reviewboard.wsgi'.
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] Traceback (most recent call last):
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] File "/usr/lib/python2.6/site-packages/django/core/handlers/wsgi.py", line 252, in call
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] response = middleware_method(request, response)
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] File "/usr/lib/python2.6/site-packages/fedora/django/auth/middleware.py", line 82, in process_response
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] path='/', secure=True, httponly=True)
[Sun Mar 11 16:53:44 2012] [error] [client 75.148.32.185] TypeError: set_cookie() got an unexpected keyword argument 'httponly'
}}}

reviewboard should be fixed now, by ticket #3194

ok, I just pushed a fix for:

mirrormanager, smolt, elections, bodhi and fas.

I think thats all the TG1 apps and we should be good now.

Please re-open this if you see any of them not acting correctly. Sorry this took so long to fix.

Login to comment on this ticket.

Metadata