Closed Bug 163573 Opened 22 years ago Closed 22 years ago

CSS problems in bonsai

Categories

(Webtools Graveyard :: Bonsai, defect)

Product:
Webtools Graveyard
Component:
Bonsai
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tara, Assigned: tara)

References

Details

Attachments

(2 files)

patch v1: fixes for the first four reported vulnerabilities
1.87 KB, patch
tara
: review+
Details | Diff | Splinter Review
patch v2: fixes for the next four reported vulnerabilities
3.06 KB, patch
tara
: review+
Details | Diff | Splinter Review 
This patch has fixes for the first four vulnerabilities listed in the bugtraq
report.  The cvsblame.cgi portion of the patch may not apply (I hacked it
manually with the spelling fix in the latest revision, which CVS may not like).
*** Bug 155493 has been marked as a duplicate of this bug. ***
*** Bug 155659 has been marked as a duplicate of this bug. ***
Adding comment from duped bug for centralization purposes:

There seems to be a dangerous bug in bonsai which allows execution of
arbitrary code on the web server with the privileges of the web server.

The problems is in file editcheckin.cgi on the line:
my $info = eval("\\%" . $::FORM{'id'});

I run a little modified bonsai so I am not completely sure it will work on
the genuine bonsai but probably it will work.

So the problem is eval executes backticks (``).

The following URL:
--------------------------------
http://bonsai/editcheckin.cgi?id=$a=%22a%22;$b=%60echo%20%22Content-type:%20text/html\n\ngeorgi%22%20%3E/tmp/georgi%60;print%20$b;$g=%22a%22
---------------------------------

evals the following
-----------------------------
$a="a";$b=`echo "Content-type: text/html\n\ngeorgi" >/tmp/georgi`;print
$b;$g="a";
-----------------------------
and creates a file /tmp/georgi

The following URL:
-----------------------------
http://bonsai/editcheckin.cgi?id=$a=%22a%22;$b=%60cat%20/tmp/georgi%60;print%20$b;$g=%22a%22
------------------------------

does 
cat /tmp/georgi

A quick grep for eval shows also the following potentially dangerous evals:
addcheckin.pl:189:               $info = eval("\\\%$id");
addcheckin.pl:208:                              if ((eval("\$$i" .
"{person}") eq $name) &&
adminfuncs.pl:45:          my $info = eval("\\\%$checkin");
cvsblame.cgi:493:        l.document.write(eval("log" + revToName(rev)) +
"</TD></TR></TABLE>");
doeditcheckin.cgi:44:    $info = eval("\\%" . $::FORM{'id'});
dotweak.cgi:80:            my $info = eval("\\%" . $i);
dotweak.cgi:89:            my $info = eval("\\%" . $i);
editcheckin.cgi:38:my $info = eval("\\%" . $::FORM{'id'});
globals.pl:218:##  correctly when eval'ed
globals.pl:249:        my $value = eval($name);
repophook.cgi:95:               $info = eval("\\\%$id");
showcheckins.cgi:64:          $info = eval("\\\%$checkin");
showcheckins.cgi:81:          $info = eval("\\\%$checkin");
showcheckins.cgi:108:     my $aref = eval("\\\%$a");
showcheckins.cgi:109:     my $bref = eval("\\\%$b");
showcheckins.cgi:130:     $info = eval("\\\%$infoname");
showcheckins.cgi:209:     $info = eval("\\\%$checkin");
toplevel.cgi:109:    my $info = eval("\\\%$checkin");
Comment on attachment 95950 [details] [diff] [review]
patch v1: fixes for the first four reported vulnerabilities

tested and happy
Attachment #95950 - Flags: review+
I can't reproduce the last three reported vulnerabilities on
bonsai.mozilla.org.  Can anyone else?
Checked in first patch:

Checking in cvslog.cgi;
/cvsroot/mozilla/webtools/bonsai/cvslog.cgi,v  <--  cvslog.cgi
new revision: 1.18; previous revision: 1.17
done
Checking in cvsblame.cgi;
/cvsroot/mozilla/webtools/bonsai/cvsblame.cgi,v  <--  cvsblame.cgi
new revision: 1.33; previous revision: 1.32
done
Checking in globals.pl;
/cvsroot/mozilla/webtools/bonsai/globals.pl,v  <--  globals.pl
new revision: 1.16; previous revision: 1.15
done
Attachment #95985 - Flags: review+
I've tried 3 different browsers looking for georgi, and natch.  
Survey says we seem to be in good shape.
um, when I said "in good shape" I meant "I'm going to close this bug now"
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Checking in cvsqueryform.cgi;
/cvsroot/mozilla/webtools/bonsai/cvsqueryform.cgi,v  <--  cvsqueryform.cgi
new revision: 1.15; previous revision: 1.14
done
Checking in showcheckins.cgi;
/cvsroot/mozilla/webtools/bonsai/showcheckins.cgi,v  <--  showcheckins.cgi
new revision: 1.11; previous revision: 1.10
done
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: