Closed Bug 141557 Opened 23 years ago Closed 23 years ago

allowuserdeletion security hole in edituser.cgi

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.14.1
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: cholmes, Assigned: myk)

Details

(Whiteboard: applied to 2.14.2)

Attachments

(2 files)

Patch v.1
768 bytes, patch
myk
: review+
myk
: review+
Details | Diff | Splinter Review
Backported patch for BUGZILLA-2_14_1-BRANCH
781 bytes, patch
gerv
: review+
gerv
: review+
Details | Diff | Splinter Review
If I'm a user with the ability to edit other users then I have the ability to delete other users regardless of the allowuserdeletion parameter flag. I simply select a user, then change 'edit' to 'del' in the URL. This is due to two missing "exit;" lines in editusers.cgi. To find them do a search for "PutTrailer" in editusers.cgi - after every occurence of PutTrailer (except the definition) there should be an exit on the next line. Cheers,
Group: security?
Attached patch Patch v.1Splinter Review
Fix, as suggested by reporter. I can confirm the bug, and that this fix prevents it. Gerv
Comment on attachment 81913 [details] [diff] [review] Patch v.1 Yup, that's the fix. 2xr=myk
Attachment #81913 - Flags: review+
Fixed. cholmes@cs.umass.edu - thank you very much for reporting this :-) Checking in editusers.cgi; /cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v <-- editusers.cgi new revision: 1.35; previous revision: 1.34 done Gerv
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
This fix has been applied to b.m.o.
I just audited every instance of PutTrailer() in edit* - there are no other instances where exit; is missing. Gerv
Target Milestone: --- → Bugzilla 2.16
munging ccs
Comment on attachment 83024 [details] [diff] [review] Backported patch for BUGZILLA-2_14_1-BRANCH 2xr=gerv. Gerv
Attachment #83024 - Flags: review+
Checked in on BUGZILLA-2_14_1-BRANCH.
Whiteboard: applied to 2.14.2
Adding representatives of the packagers to bugs that are going into the Bugzilla 2.14.2 security update
moving secure bugzilla/webtools bugs from mozilla security group to the new bugzilla security group.
Group: security? → webtools-security?
2.14.2 is out, removing security group.
Group: webtools-security?
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: