Closed
Bug 163573
Opened 22 years ago
Closed 22 years ago
CSS problems in bonsai
Categories
(Webtools Graveyard :: Bonsai, defect)
Webtools Graveyard
Bonsai
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: tara, Assigned: tara)
References
Details
Attachments
(2 files)
1.87 KB,
patch
|
tara
:
review+
|
Details | Diff | Splinter Review |
3.06 KB,
patch
|
tara
:
review+
|
Details | Diff | Splinter Review |
Comment 1•22 years ago
|
||
This patch has fixes for the first four vulnerabilities listed in the bugtraq report. The cvsblame.cgi portion of the patch may not apply (I hacked it manually with the spelling fix in the latest revision, which CVS may not like).
Assignee | ||
Comment 2•22 years ago
|
||
*** Bug 155493 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 3•22 years ago
|
||
*** Bug 155659 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 4•22 years ago
|
||
Adding comment from duped bug for centralization purposes: There seems to be a dangerous bug in bonsai which allows execution of arbitrary code on the web server with the privileges of the web server. The problems is in file editcheckin.cgi on the line: my $info = eval("\\%" . $::FORM{'id'}); I run a little modified bonsai so I am not completely sure it will work on the genuine bonsai but probably it will work. So the problem is eval executes backticks (``). The following URL: -------------------------------- http://bonsai/editcheckin.cgi?id=$a=%22a%22;$b=%60echo%20%22Content-type:%20text/html\n\ngeorgi%22%20%3E/tmp/georgi%60;print%20$b;$g=%22a%22 --------------------------------- evals the following ----------------------------- $a="a";$b=`echo "Content-type: text/html\n\ngeorgi" >/tmp/georgi`;print $b;$g="a"; ----------------------------- and creates a file /tmp/georgi The following URL: ----------------------------- http://bonsai/editcheckin.cgi?id=$a=%22a%22;$b=%60cat%20/tmp/georgi%60;print%20$b;$g=%22a%22 ------------------------------ does cat /tmp/georgi A quick grep for eval shows also the following potentially dangerous evals: addcheckin.pl:189: $info = eval("\\\%$id"); addcheckin.pl:208: if ((eval("\$$i" . "{person}") eq $name) && adminfuncs.pl:45: my $info = eval("\\\%$checkin"); cvsblame.cgi:493: l.document.write(eval("log" + revToName(rev)) + "</TD></TR></TABLE>"); doeditcheckin.cgi:44: $info = eval("\\%" . $::FORM{'id'}); dotweak.cgi:80: my $info = eval("\\%" . $i); dotweak.cgi:89: my $info = eval("\\%" . $i); editcheckin.cgi:38:my $info = eval("\\%" . $::FORM{'id'}); globals.pl:218:## correctly when eval'ed globals.pl:249: my $value = eval($name); repophook.cgi:95: $info = eval("\\\%$id"); showcheckins.cgi:64: $info = eval("\\\%$checkin"); showcheckins.cgi:81: $info = eval("\\\%$checkin"); showcheckins.cgi:108: my $aref = eval("\\\%$a"); showcheckins.cgi:109: my $bref = eval("\\\%$b"); showcheckins.cgi:130: $info = eval("\\\%$infoname"); showcheckins.cgi:209: $info = eval("\\\%$checkin"); toplevel.cgi:109: my $info = eval("\\\%$checkin");
Assignee | ||
Comment 5•22 years ago
|
||
Comment on attachment 95950 [details] [diff] [review] patch v1: fixes for the first four reported vulnerabilities tested and happy
Attachment #95950 -
Flags: review+
Comment 6•22 years ago
|
||
I can't reproduce the last three reported vulnerabilities on bonsai.mozilla.org. Can anyone else?
Comment 7•22 years ago
|
||
Checked in first patch: Checking in cvslog.cgi; /cvsroot/mozilla/webtools/bonsai/cvslog.cgi,v <-- cvslog.cgi new revision: 1.18; previous revision: 1.17 done Checking in cvsblame.cgi; /cvsroot/mozilla/webtools/bonsai/cvsblame.cgi,v <-- cvsblame.cgi new revision: 1.33; previous revision: 1.32 done Checking in globals.pl; /cvsroot/mozilla/webtools/bonsai/globals.pl,v <-- globals.pl new revision: 1.16; previous revision: 1.15 done
Assignee | ||
Updated•22 years ago
|
Attachment #95985 -
Flags: review+
Assignee | ||
Comment 8•22 years ago
|
||
I've tried 3 different browsers looking for georgi, and natch.
Assignee | ||
Comment 9•22 years ago
|
||
Survey says we seem to be in good shape.
Assignee | ||
Comment 10•22 years ago
|
||
um, when I said "in good shape" I meant "I'm going to close this bug now"
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 11•22 years ago
|
||
Checking in cvsqueryform.cgi; /cvsroot/mozilla/webtools/bonsai/cvsqueryform.cgi,v <-- cvsqueryform.cgi new revision: 1.15; previous revision: 1.14 done Checking in showcheckins.cgi; /cvsroot/mozilla/webtools/bonsai/showcheckins.cgi,v <-- showcheckins.cgi new revision: 1.11; previous revision: 1.10 done
Updated•8 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•