Closed Bug 141557 Opened 22 years ago Closed 22 years ago

allowuserdeletion security hole in edituser.cgi

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.14.1
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: cholmes, Assigned: myk)

Details

(Whiteboard: applied to 2.14.2)

Attachments

(2 files)

Patch v.1
768 bytes, patch
myk
: review+
myk
: review+
Details | Diff | Splinter Review
Backported patch for BUGZILLA-2_14_1-BRANCH
781 bytes, patch
gerv
: review+
gerv
: review+
Details | Diff | Splinter Review 
If I'm a user with the ability to edit other users then I have the ability to
delete other users regardless of the allowuserdeletion parameter flag. I simply
select a user, then change 'edit' to 'del' in the URL.

This is due to two missing "exit;" lines in editusers.cgi. To find them do a
search for "PutTrailer" in editusers.cgi - after every occurence of PutTrailer
(except the definition) there should be an exit on the next line.

Cheers,
Group: security?
Attached patch Patch v.1Splinter Review 
Fix, as suggested by reporter. I can confirm the bug, and that this fix
prevents it.

Gerv
Comment on attachment 81913 [details] [diff] [review]
Patch v.1

Yup, that's the fix. 2xr=myk
Attachment #81913 - Flags: review+
Fixed. cholmes@cs.umass.edu - thank you very much for reporting this :-)

Checking in editusers.cgi;
/cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v  <--  editusers.cgi
new revision: 1.35; previous revision: 1.34
done

Gerv
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
This fix has been applied to b.m.o.
I just audited every instance of PutTrailer() in edit* - there are no other
instances where exit; is missing.

Gerv
Target Milestone: --- → Bugzilla 2.16
munging ccs
Comment on attachment 83024 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

2xr=gerv.

Gerv
Attachment #83024 - Flags: review+
Checked in on BUGZILLA-2_14_1-BRANCH.
Whiteboard: applied to 2.14.2
Adding representatives of the packagers to bugs that are going into the
Bugzilla 2.14.2 security update
moving secure bugzilla/webtools bugs from mozilla security group to the new
bugzilla security group.
Group: security? → webtools-security?
2.14.2 is out, removing security group.
Group: webtools-security?
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: