Info on patch for CVE-2018-18307 vulnerability

[jasnow]

I'm working on a Rubysec.com security advisory for CVE-2018-18307 and I would
like to give your project credit for a patch but I cannot see one in this GitHub repo.

Reference: https://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.htm

I would appreciate any insight or URLs to commits/PRs/etc.

Thanks

[jasnow]

Here is the current advisory information: rubysec/ruby-advisory-db#691

[tvdeyen]

Has this ever been verified as a real vulnerability? I have not seen evidence yet. Can you provide more information please?

[jasnow]

Reference: https://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.htm

Is this not the evidence?

[tvdeyen]

Is it? It is a random url in the internet. Who created this post? Who approved this? Where is the CVE coming from? And who approved this? Is this legit?

[jasnow]

Here is the source of the CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-18307

Here is another advisory: GHSA-7mj4-2984-955f

I am going to cancel my PR until these questions are answered.
I am not trying to create answers, just collect existing answers.

Thanks for your responses.

[tvdeyen]

Here is another advisory: GHSA-7mj4-2984-955f

Who submitted this? Nobody of us certainly. Has this been approved? If yes, by whom?
Also this uses the same random links from the internet as "prove".

I am going to cancel my PR until these questions are answered.

I still do not understand what all of this is about. Some random CVE (from 2018) shows up, gets submitted to some database and then this discussion pops up here. All of this without a single prove of if the vulnerability is actually real. Someone posted an unproven and evidence lacking CVE in the internet. What are we supposed to be doing?

"Innocent until proven guilty"

Please provide more information than just some random links. And please give us more background on:

• Who you are?
• What qualifies you?
• What evidence do you have besides random links?

Otherwise I will need to report this to GitHub

Sorry, but this very rude behavior. We are a small team of developers doing this in our spare time. We have better things to do, than answering accusations from random people in the internet.

[jasnow]

I I am sorry for my behavior - my (false) assumption was that you fixed the vulnerability back in 2018 without bread crumbs.
I did try your security email first to ask privately but it was bounced.
If you want, I will close this discussion.
Take care.

[tvdeyen]

I just contacted packetstorm and asked them who approved and verified the accusation. Awaiting answer.

[jasnow]

Decided to close this discussion - take care.

[postmodern]

Hello @tvdeyen, ruby-advisory-db maintainer here. I suggested that @jasnow reach out to you to get clarification on CVE-2018-18307 (which also found it's way into the GitHub Security Advisories DB), since it was not clear if the vulnerability was patched in 4.1.1, patched later, patched silently, or never patched at all, etc. I did not think it would be fair to mark all versions of AlchemyCMS as vulnerable because CVE-2018-18307 lacked details. This is part of @jasnow's on-going efforts to make sure that ruby-advisory-db has all of the Ruby security advisories which the GitHub Security Advisory DB has, which often involves reviewing much older security advisories.

Perhaps a better way to verify the validity of this advisory is to try to reproduce the instructions in the original Proof-of-Concept exploit against AlchemyCMS 4.1.0. It appears to describe a multi-part HTTP POST request to /admin/pictures, where it's uploading/creating a new file, but with <img> tags in the filename, which may or may not be sanitized properly. Is there a pre-configured Docker image of AlchemyCMS that we could change to use version 4.1.0 and test against? I do not have experience setting up AlchemyCMS, so if there's some way to quickly setup a working version of 4.1.0 that would make testing this advisory much easier. If someone is claiming that AlchemyCMS 4.1.0 is vulnerable, and provided Steps to Reproduce (aka Proof-of-Concept exploit), but you dispute their claims, then we should try to verify their Steps to Reproduce.

I would also like to remind you that we are volunteers just trying to verify the details of public security advisories before they are added to ruby-advisory-db, which is used by bundler-audit. Arguing with us or threatening to report us to GitHub does not help things. If you do have evidence that CVE-2018-18307 is invalid, then you will need to contact NVD and submit a PR to the GitHub Security Advisory DB.

[tvdeyen]

Hi @postmodern I appreciate the background information that you just gave. A much nicer introduction. Still the whole situation is a bit annoying. Let me try to explain my grief. A couple of years ago, someone reached out to us via a random bug hunting platform, saying they found a security vulnerability. We marked it as invalid because it is a protected admin route, where all POST requests get rejected that are not authorized. The bug got closed and we never heard back from them. We thought. Now 5 years later suddenly this post in our public forum shows up, telling us, there is an official CVE, without any further introduction. This kind of shocked me. So, I started to ask questions. The answers just point me to shady looking (but obviously legit) websites without any further proof. Now we are in the situation to defend ourselves against this accusation. We have limited resources and now we are asked to provide proof that this vulnerability does not exist, while it never has been approved by us or any one else with a verified qualification. Maybe this is how the whole infosec works, but still makes me question a lot of these procedures. The packet storm people already reached out to us. As well as the GitHub CVE team. Now I need to proof - again - that a 5 years old version of Alchemy is not vulnerable. Where do these people think do I take the time from? We take security seriously. We run brakeman scans against all our gems and inhabit security patterns in all our work either in open source or in client work we do in our day to day jobs. But I now feel forced to deal with something that has never been properly proven in the first place. We are now publicly accused and now need to publicly proof it wrong. Thanks for nothing. Please be sure that I appreciate all of the work you and @jasnow are doing for the Ruby community, but please understand the situation we are now in. Appreciate any further help on how to solve this problem. Thanks