Closed Bug 472362 Opened 16 years ago Closed 15 years ago

[SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches)

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.22

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Keywords: selenium)

Attachments

(1 file)

patch, v1
1.81 KB, patch
wicked
: review+
Details | Diff | Splinter Review 
If an HTML attachment contains an iframe pointing to userprefs.cgi, it can edit all your user + email prefs as well as your shared searches. userprefs.cgi should be protected by session tokens to prevent this kind of attack. Fortunately, these malicious attachments cannot change your password or your email address as your password is required.
Isn't this a duplicate or dependency of bug 26257?
Not a dupe, no. Bug 26257 is about process_bug.cgi; this one is about userprefs.cgi. And we will probably use session tokens here, which is different from on-the-fly tokens used in bug 26257, so this bug doesn't depend on the other one.
Attached patch patch, v1Splinter Review 
Assignee: user-accounts → LpSolit
Status: NEW → ASSIGNED

        Attachment #355877 -
        Flags: review?(mkanat)

    
    

    
  
Comment on attachment 355877 [details] [diff] [review]
patch, v1

Simple but effective against few test cases I could think of. I'm sure this gives same level of protection to userprefs as our other session token protected actions already have.

Patch also doesn't prevent changing prefs, not even multiple times in a row. Overriding works except for password and email changes since old password gets lost. I don't think that matters since you can always just reload the enter form (and changing email before token expires isn't allowed either).

Since this is first non-edit*.cgi script that uses check_token_data and related admin/confirm-action.html.tmpl template the term "administrative form" in line 32 of that template might not be entirely accurate now. I'm not going to hold review for that, though.

        Attachment #355877 -
        Flags: review?(mkanat) → review+
Flags: approval?
Flags: approval3.2?
Flags: approval3.0?
Flags: approval2.22?
Summary: Malicious attachments can change your user settings (user + email prefs, shared searches) → [SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches)

    
    

    
  
Let's take it for 3.3.2 & co as it's ready.
Blocks: 468249
Flags: blocking3.2.1+
Flags: blocking3.0.7+
Flags: blocking2.22.7+

    
  
Flags: approval?
Flags: approval3.2?
Flags: approval3.2+
Flags: approval3.0?
Flags: approval3.0+
Flags: approval2.22?
Flags: approval2.22+
Flags: approval+

    
    

    
  
tip:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.126; previous revision: 1.125
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.31; previous revision: 1.30
done


3.2:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.120.2.2; previous revision: 1.120.2.1
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.30.2.1; previous revision: 1.30
done


3.0.6:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.112.2.5; previous revision: 1.112.2.4
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.27.2.1; previous revision: 1.27
done


2.22.6:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.95.2.1; previous revision: 1.95
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.21.2.2; previous revision: 1.21.2.1
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Removing this bug from the security group, as the Security Advisory was sent (bug 468249)
Group: bugzilla-security

    
  
Flags: testcase?

    
    

    
  
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/4.2/
modified t/test_security.t
Committed revision 208.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/4.0/
modified t/test_security.t
Committed revision 197.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/3.6/
modified t/test_security.t
Committed revision 155.
Flags: testcase? → testcase+

    
  
Keywords: selenium

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: