Closed Bug 354274 Opened 18 years ago Closed 18 years ago

Bugzilla vulnerable to multiple XSRF

Categories

(Bugzilla :: Bugzilla-General, defect)

2.22
x86
OpenBSD
defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 281181

People

(Reporter: djm, Unassigned)

Details

Bugzilla is susceptible to multiple cross-site request forgery vulnerabilities as described at http://en.wikipedia.org/wiki/XSRF

It is possible for an attacker to create hostile pages that embed (via hidden iframes or images) requests to administrative bugzilla pages that will be silently executed with the credentials of any bugzilla user or administrator who visits them. 

A simple example that raises the privilege of a user on a bugzilla installation:

<iframe style="display:none;" src="http://bugzilla.example.org/editusers.cgi?group_9=1&userid=5&action=update"></iframe>

other attacks that exploit this vulnerability could be changing webdotbase via editprefs.cgi to effect a limited remote command execution on the bugzilla host, or adjusting the LDAP parameters to point to a hostile LDAP server that logs passwords of users who try to log in. 

This attacks works against (at least) editusers.cgi and editparams.cgi.

The best solution for these vulnerabilities is to include a challenge key in each form that is generated from some private information and then validate it when the form is submitted back to the server. In bugzilla's case, a good challenge key could be based on the session ID, a per-user secret and a nonce as:

challenge = (nonce, H(session_id, secret, nonce))

where H is some hash function like SHA1. Both the nonce and the secret should be be reasonably long (16-32 chars) and generated using a crypto-quality RNG like Crypt::Random. The nonce would need to be generated each time a form is displayed, but the per-user secret could be generated once when the user signs up.

When a form is posted back to a bugzilla component, it can extract the nonce from the challenge, calculate H(session_id, secret, nonce) and verify that it matches what was posted. An attacker would not have access to the per-user secret and would therefore not be able to forge a response. They couldn't replay them either, because the challenges would be bound to the session.

Note that converting the forms to use POST is not a solution, as this can be circumvented using javascript. Also, checking the HTTP Referrer header is not an adequate solution as this can be forged using flash (as described at http://ha.ckers.org/blog/20060725/forging-http-request-headers-with-flash/)
Ah, cross-site request forgery. I was wondering what people called it.

*** This bug has been marked as a duplicate of 281181 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
bug 281181 has been fixed.
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.