Closed Bug 213384 Opened 21 years ago Closed 21 years ago

shutdownhtml login bypass via editparams.cgi is broken under suexec

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Type:
task
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: syssrini, Assigned: goobix)

Details

(Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5])

Attachments

(1 file, 1 obsolete file)

Patch ver 2
716 bytes, patch
kiko
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Build Identifier: www.mozilla.org

I changed shutdownhtml parameter ,and then Logged out of Admin. Now when i try 
to get into Admin, it says Bugzilla is currently down for me too...Tell me a 
way to login as Admin and fix it...


Reproducible: Always

Steps to Reproduce:
1.Login as admin
2.change the shutdown html parameter
3.Log out of Admin

Actual Results:  
I got locked out....

Expected Results:  
Let me login as Admin and fix it..

--
Go directly to http://yourbugzilla/editparams.cgi

That's the only page that will work when shutdownhtml is in place.

In the future please post support questions to the mozilla-webtools mailing list
(http://www.bugzilla.org/discussion.html).  This is not a bug.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Login to http://yourbugzilla/editparams.cgi does not work if the Apache uses the
suexec mechanism.

Reason:

CGI.pl uses this line:

if (Param("shutdownhtml") && $0 !~ m:[\\/](do)?editparams.cgi$:)

On my system (Bugzilla 2.17.4, Apache 1.3.27 with suexec enabled, chrooted), if
Apache does not use the suexec mechanism then $0 contains
"/home/someuser/bugzilla/editparams.cgi".

But if suexec is enabled then $0 contains only "editparams.cgi" and the
condition does not work.


Changing the condition to

if (Param("shutdownhtml") && $0 !~ m:(do)?editparams.cgi$:) {

seems to work, but somebody please check this, as I am unfamiliar with this m:
thing.

Many commercial web hosters use Apache with the suexec mechanism, so I believe
this is in fact a problem and this is a valid bug. Please reopen.
OK, I'll buy that.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Summary: I used shutdownhtml parameter from Admin and logged out of Admin myself → shutdownhtml login bypass via editparams.cgi is broken under suexec
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Component: Bugzilla-General → Administration
Attached patch Patch (obsolete) — Splinter Review 

    
  

        Attachment #131735 -
        Flags: review?(kiko)

    
    

    
  
>> I am unfamiliar with this m: thing.

m:something: is similar with m/something/ just that you don't need to worry
about escaping the "/" char.
Assignee: justdave → jocuri

    
  
Status: NEW → ASSIGNED

    
    

    
  
Do we need a patch in the 2.16 branch as well?

    
    

    
  
Comment on attachment 131735 [details] [diff] [review]
Patch

Does it make sense to keep the (do)? there, if nothing comes before it?

    
  

        Attachment #131735 -
        Flags: review?(kiko) → review-

    
    

    
  
Regarding attachment 131735 [details] [diff] [review]:

m:(^|[\\/])(do)?editparams\.cgi$: is probably what's wanted there.

That restricts it to only the doeditparams.cgi and editparams.cgi files,
(and not also xyzzy-editparams.cgi, e.g.) and works whether or not the
full path is given.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch ver 2Splinter Review
      

    


  
Yeap, I thought about that; I did a "ls -R *editparams.cgi" in the bugzilla dir
and the only files matching that were those 2. But yeah, it's better to prevent
other files from being regexped in the future.

Also, it seems the dot in ".cgi" forgot to be escaped as well.

        Attachment #131735 -
        Attachment is obsolete: true

    
  

        Attachment #131786 -
        Flags: review?(kiko)

    
    

    
  
Arne, srini -- can you confirm this patch fixes the problem for you?

    
    

    
  
Attachment #131786 [details] [diff] works in my environment.

    
    

    
  
Comment on attachment 131786 [details] [diff] [review]
Patch ver 2

wonderful

        Attachment #131786 -
        Flags: review?(kiko) → review+

    
  
Flags: approval?
Flags: approval? → approval+
Target Milestone: --- → Bugzilla 2.18

    
    

    
  
Target --> 2.16
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16

    
    

    
  
Does this apply to both branches?

    
    

    
  
Yes

    
    

    
  
ok, approved for both 2.16 branch and trunk on the basis of being a low-risk
usability fix.  In the future ask first ;)
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5]

    
    

    
  
ok :), didn't know that changing target requires approval ;-)

    
    

    
  
Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.153.2.5; previous revision: 1.153.2.4
done

Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.206; previous revision: 1.205
done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: