Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2f4d59da-0ac3-4b1e-98f7-dae9c23ddeb9@gmail.com>
Date: Tue, 1 Apr 2025 18:31:48 -0500
From: Jacob Bachmeyer <jcb62281@...il.com>
To: oss-security@...ts.openwall.com, Enxin Xie <linkinstar@...che.org>
Subject: Re: CVE-2025-29868: Apache Answer: Using externally
 referenced images can leak user privacy.

On 3/31/25 21:44, Enxin Xie wrote:
> [...]
>
> Description:
>
> Private Data Structure Returned From A Public Method vulnerability in Apache Answer.
>
> This issue affects Apache Answer: through 1.4.2.
>
> If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user.
> Users are recommended to upgrade to version 1.4.5, which fixes the issue. In the new version, administrators can set whether external content can be displayed.

This hits two major pet peeves of mine:

First, only versions through 1.4.2 are vulnerable, but the issue was 
fixed in 1.4.5?  What about 1.4.3 and 1.4.4?

Second, the short description is *not* an accurate summary of the 
issue:  there is no public method that returns a private data structure 
here.  The possibility of planting a web bug (this is an ancient issue 
and the reason better email clients block references to remote media by 
default) is *different* from Apache Answer *itself* exposing a public 
method that leaks private data.

This issue is more akin to XSS, except that web bugs are older than 
JavaScript.  The "leaked" IP address originates from the *user's* 
machine making a connection to retrieve an untrusted resource.  Perhaps 
"same origin" should have been imposed on images, but it is not.


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.