Closed Bug 1234325 Opened 8 years ago Closed 8 years ago

Backport upstream bug 1230932 to bmo/4.2 to fix providing a condition as an ID to the webservice results in a taint error

Categories

(bugzilla.mozilla.org :: API, defect)

Product:
bugzilla.mozilla.org
Component:
API
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dkl, Assigned: dkl)

References

Details

Attachments

(1 file, 1 obsolete file)

1234325_2.patch
3.46 KB, patch
dylan
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #1230932 +++

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

Hello,

My name is Netanel Rubin, I work as a vulnerability researcher at PerimeterX.

This is a critical vulnerability report for an issue I discovered in the Bugzilla platform. The successful exploitation of the vulnerability allows an attacker to successfully exploit an SQL Injection flaw assuming Taint Mode is disabled at the vulnerable script.

As a PoC, I've tested the vulnerability on your installation. It appears you have disabled Taint on jsonrpc.cgi (and possibly other pages), as the attack succeeded and I've managed to execute any SQL statement I wanted under a SELECT query.

I'm attaching the complete vulnerability report to this bug, as I learned from past experience this is your preferred method of communication.
Please assign a CVE number for this issue. We would also like to coordinate the public disclosure with you.

Best regards,
Netanel.
No longer blocks: 1232203
Assignee: nobody → dkl
Summary: Providing a condition as an ID to the webservice results in a taint error → Backport upstream bug 1230932 to bmo/4.2 to fix providing a condition as an ID to the webservice results in a taint error
Cloning bugs really shouldn't copy the CC list, IMO.
(In reply to Frédéric Buclin from comment #1)
> Cloning bugs really shouldn't copy the CC list, IMO.

I do agree.
Attached patch 1234325_1.patch (obsolete) — Splinter Review 
Can you review your work for me? :)
Attachment #8700743 - Flags: review?(dylan)
(In reply to Frédéric Buclin from comment #1)
> Cloning bugs really shouldn't copy the CC list, IMO.

Yeah thanks for that. Normally I clear the cc list on cloned bugs and let the defaults get added. Forgot to do that this time.
I also agree than cloning should not automatically copy the full cc list.

dkl
Comment on attachment 8700743 [details] [diff] [review]
1234325_1.patch

Review of attachment 8700743 [details] [diff] [review]:
-----------------------------------------------------------------

missing validation for update_comment_tags
Attachment #8700743 - Flags: review?(dylan) → review-
Attached patch 1234325_2.patchSplinter Review 

        Attachment #8700743 -
        Attachment is obsolete: true

        Attachment #8700757 -
        Flags: review?(dylan)

    
    

    
  
Comment on attachment 8700757 [details] [diff] [review]
1234325_2.patch

Review of attachment 8700757 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

        Attachment #8700757 -
        Flags: review?(dylan) → review+

    
    

    
  
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4049782..1e7b400  master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: