Closed
Bug 213384
Opened 21 years ago
Closed 21 years ago
shutdownhtml login bypass via editparams.cgi is broken under suexec
Categories
(Bugzilla :: Administration, task)
Bugzilla
Administration
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: syssrini, Assigned: goobix)
Details
(Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5])
Attachments
(1 file, 1 obsolete file)
716 bytes,
patch
|
kiko
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Build Identifier: www.mozilla.org I changed shutdownhtml parameter ,and then Logged out of Admin. Now when i try to get into Admin, it says Bugzilla is currently down for me too...Tell me a way to login as Admin and fix it... Reproducible: Always Steps to Reproduce: 1.Login as admin 2.change the shutdown html parameter 3.Log out of Admin Actual Results: I got locked out.... Expected Results: Let me login as Admin and fix it.. --
Comment 1•21 years ago
|
||
Go directly to http://yourbugzilla/editparams.cgi That's the only page that will work when shutdownhtml is in place. In the future please post support questions to the mozilla-webtools mailing list (http://www.bugzilla.org/discussion.html). This is not a bug.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Comment 2•21 years ago
|
||
Login to http://yourbugzilla/editparams.cgi does not work if the Apache uses the suexec mechanism. Reason: CGI.pl uses this line: if (Param("shutdownhtml") && $0 !~ m:[\\/](do)?editparams.cgi$:) On my system (Bugzilla 2.17.4, Apache 1.3.27 with suexec enabled, chrooted), if Apache does not use the suexec mechanism then $0 contains "/home/someuser/bugzilla/editparams.cgi". But if suexec is enabled then $0 contains only "editparams.cgi" and the condition does not work. Changing the condition to if (Param("shutdownhtml") && $0 !~ m:(do)?editparams.cgi$:) { seems to work, but somebody please check this, as I am unfamiliar with this m: thing. Many commercial web hosters use Apache with the suexec mechanism, so I believe this is in fact a problem and this is a valid bug. Please reopen.
Comment 3•21 years ago
|
||
OK, I'll buy that.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Summary: I used shutdownhtml parameter from Admin and logged out of Admin myself → shutdownhtml login bypass via editparams.cgi is broken under suexec
Updated•21 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Updated•21 years ago
|
Component: Bugzilla-General → Administration
Assignee | ||
Comment 4•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #131735 -
Flags: review?(kiko)
Assignee | ||
Comment 5•21 years ago
|
||
>> I am unfamiliar with this m: thing.
m:something: is similar with m/something/ just that you don't need to worry
about escaping the "/" char.
Assignee: justdave → jocuri
Assignee | ||
Updated•21 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•21 years ago
|
||
Do we need a patch in the 2.16 branch as well?
Comment 7•21 years ago
|
||
Comment on attachment 131735 [details] [diff] [review] Patch Does it make sense to keep the (do)? there, if nothing comes before it?
Updated•21 years ago
|
Attachment #131735 -
Flags: review?(kiko) → review-
Comment 8•21 years ago
|
||
Regarding attachment 131735 [details] [diff] [review]: m:(^|[\\/])(do)?editparams\.cgi$: is probably what's wanted there. That restricts it to only the doeditparams.cgi and editparams.cgi files, (and not also xyzzy-editparams.cgi, e.g.) and works whether or not the full path is given.
Assignee | ||
Comment 9•21 years ago
|
||
Yeap, I thought about that; I did a "ls -R *editparams.cgi" in the bugzilla dir and the only files matching that were those 2. But yeah, it's better to prevent other files from being regexped in the future. Also, it seems the dot in ".cgi" forgot to be escaped as well.
Attachment #131735 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #131786 -
Flags: review?(kiko)
Comment 10•21 years ago
|
||
Arne, srini -- can you confirm this patch fixes the problem for you?
Comment 11•21 years ago
|
||
Attachment #131786 [details] [diff] works in my environment.
Comment 12•21 years ago
|
||
Comment on attachment 131786 [details] [diff] [review] Patch ver 2 wonderful
Attachment #131786 -
Flags: review?(kiko) → review+
Updated•21 years ago
|
Flags: approval?
Updated•21 years ago
|
Flags: approval? → approval+
Target Milestone: --- → Bugzilla 2.18
Comment 14•21 years ago
|
||
Does this apply to both branches?
Assignee | ||
Comment 15•21 years ago
|
||
Yes
Comment 16•21 years ago
|
||
ok, approved for both 2.16 branch and trunk on the basis of being a low-risk usability fix. In the future ask first ;)
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5]
Assignee | ||
Comment 17•21 years ago
|
||
ok :), didn't know that changing target requires approval ;-)
Assignee | ||
Comment 18•21 years ago
|
||
Checking in CGI.pl; /cvsroot/mozilla/webtools/bugzilla/CGI.pl,v <-- CGI.pl new revision: 1.153.2.5; previous revision: 1.153.2.4 done Checking in CGI.pl; /cvsroot/mozilla/webtools/bugzilla/CGI.pl,v <-- CGI.pl new revision: 1.206; previous revision: 1.205 done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → FIXED
Updated•21 years ago
|
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•