82781 - describecomponents.cgi doesn't check viewing permissions

Status: RESOLVED FIXED

(Bugzilla :: Bugzilla-General, defect)

Description

[Robert Kaiser]

I faced this one with my private installation of BugZilla 2.12 (see URL).

If you log in a user that isn't allowed to view all groups assinged to products,
the products he has no permissions for are excluded in enter_bug.cgi as well as
in query.cgi - but they still show up in describecomponents.cgi

I even can view all entries there if I'm not logged in as any user...

Comment 1

[Myk Melez [:myk] [@mykmelez]]

Attachment: patch to fix problem

Comment 2

[Myk Melez [:myk] [@mykmelez]]

One potential security hole with this patch is that if a product doesn't exist
the error message says the product name is invalid, but if a product exists and
the user is not authorized to access it then the error message says the user is
not authorized.  This could potentially allow someone to guess at product names
in order to find out which products exist in the database, even if they would
not be able to get any other information about that product.

I'm not sure whether this can be considered enough of a security hole that we
should print the same message in both situations.  It is similar to the
situation where a cracker enters a correct login name but incorrect password. 
Do we let them know the login name was correct?

Comment 3

[Myk Melez [:myk] [@mykmelez]]

Adding "review" keyword to get these on the radars of reviewers (if they aren't
already).

Comment 4

[Tara Hernandez]

we don't.  we just say the password is invalid.  i don't think that's something
 to worry about overly much, but feel free to point out that i'm wrong if you
think of something else.

test on main landfill install looks good.

r=tara

Comment 5

[Dave Miller [:justdave]]

checked in.

Comment 6

[Dave Miller [:justdave]]

Moving to Bugzilla product