Closed
Bug 1234325
Opened 8 years ago
Closed 8 years ago
Backport upstream bug 1230932 to bmo/4.2 to fix providing a condition as an ID to the webservice results in a taint error
Categories
(bugzilla.mozilla.org :: API, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dkl, Assigned: dkl)
References
Details
Attachments
(1 file, 1 obsolete file)
3.46 KB,
patch
|
dylan
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1230932 +++ User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: Hello, My name is Netanel Rubin, I work as a vulnerability researcher at PerimeterX. This is a critical vulnerability report for an issue I discovered in the Bugzilla platform. The successful exploitation of the vulnerability allows an attacker to successfully exploit an SQL Injection flaw assuming Taint Mode is disabled at the vulnerable script. As a PoC, I've tested the vulnerability on your installation. It appears you have disabled Taint on jsonrpc.cgi (and possibly other pages), as the attack succeeded and I've managed to execute any SQL statement I wanted under a SELECT query. I'm attaching the complete vulnerability report to this bug, as I learned from past experience this is your preferred method of communication. Please assign a CVE number for this issue. We would also like to coordinate the public disclosure with you. Best regards, Netanel.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dkl
Summary: Providing a condition as an ID to the webservice results in a taint error → Backport upstream bug 1230932 to bmo/4.2 to fix providing a condition as an ID to the webservice results in a taint error
Comment 1•8 years ago
|
||
Cloning bugs really shouldn't copy the CC list, IMO.
Comment 2•8 years ago
|
||
(In reply to Frédéric Buclin from comment #1) > Cloning bugs really shouldn't copy the CC list, IMO. I do agree.
Assignee | ||
Comment 3•8 years ago
|
||
Can you review your work for me? :)
Attachment #8700743 -
Flags: review?(dylan)
Assignee | ||
Comment 4•8 years ago
|
||
(In reply to Frédéric Buclin from comment #1) > Cloning bugs really shouldn't copy the CC list, IMO. Yeah thanks for that. Normally I clear the cc list on cloned bugs and let the defaults get added. Forgot to do that this time. I also agree than cloning should not automatically copy the full cc list. dkl
Comment 5•8 years ago
|
||
Comment on attachment 8700743 [details] [diff] [review] 1234325_1.patch Review of attachment 8700743 [details] [diff] [review]: ----------------------------------------------------------------- missing validation for update_comment_tags
Attachment #8700743 -
Flags: review?(dylan) → review-
Assignee | ||
Comment 6•8 years ago
|
||
Attachment #8700743 -
Attachment is obsolete: true
Attachment #8700757 -
Flags: review?(dylan)
Comment 7•8 years ago
|
||
Comment on attachment 8700757 [details] [diff] [review] 1234325_2.patch Review of attachment 8700757 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan
Attachment #8700757 -
Flags: review?(dylan) → review+
Assignee | ||
Comment 8•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 4049782..1e7b400 master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•