Closed
Bug 472362
Opened 16 years ago
Closed 15 years ago
[SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches)
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.22
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
(Keywords: selenium)
Attachments
(1 file)
1.81 KB,
patch
|
wicked
:
review+
|
Details | Diff | Splinter Review |
If an HTML attachment contains an iframe pointing to userprefs.cgi, it can edit all your user + email prefs as well as your shared searches. userprefs.cgi should be protected by session tokens to prevent this kind of attack. Fortunately, these malicious attachments cannot change your password or your email address as your password is required.
Assignee | ||
Comment 2•16 years ago
|
||
Not a dupe, no. Bug 26257 is about process_bug.cgi; this one is about userprefs.cgi. And we will probably use session tokens here, which is different from on-the-fly tokens used in bug 26257, so this bug doesn't depend on the other one.
Assignee | ||
Comment 3•16 years ago
|
||
Comment 4•15 years ago
|
||
Comment on attachment 355877 [details] [diff] [review] patch, v1 Simple but effective against few test cases I could think of. I'm sure this gives same level of protection to userprefs as our other session token protected actions already have. Patch also doesn't prevent changing prefs, not even multiple times in a row. Overriding works except for password and email changes since old password gets lost. I don't think that matters since you can always just reload the enter form (and changing email before token expires isn't allowed either). Since this is first non-edit*.cgi script that uses check_token_data and related admin/confirm-action.html.tmpl template the term "administrative form" in line 32 of that template might not be entirely accurate now. I'm not going to hold review for that, though.
Attachment #355877 -
Flags: review?(mkanat) → review+
Updated•15 years ago
|
Flags: approval?
Flags: approval3.2?
Flags: approval3.0?
Flags: approval2.22?
Summary: Malicious attachments can change your user settings (user + email prefs, shared searches) → [SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches)
Assignee | ||
Comment 5•15 years ago
|
||
Let's take it for 3.3.2 & co as it's ready.
Assignee | ||
Updated•15 years ago
|
Flags: approval?
Flags: approval3.2?
Flags: approval3.2+
Flags: approval3.0?
Flags: approval3.0+
Flags: approval2.22?
Flags: approval2.22+
Flags: approval+
Assignee | ||
Comment 6•15 years ago
|
||
tip: Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.126; previous revision: 1.125 done Checking in template/en/default/account/prefs/prefs.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v <-- prefs.html.tmpl new revision: 1.31; previous revision: 1.30 done 3.2: Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.120.2.2; previous revision: 1.120.2.1 done Checking in template/en/default/account/prefs/prefs.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v <-- prefs.html.tmpl new revision: 1.30.2.1; previous revision: 1.30 done 3.0.6: Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.112.2.5; previous revision: 1.112.2.4 done Checking in template/en/default/account/prefs/prefs.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v <-- prefs.html.tmpl new revision: 1.27.2.1; previous revision: 1.27 done 2.22.6: Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.95.2.1; previous revision: 1.95 done Checking in template/en/default/account/prefs/prefs.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v <-- prefs.html.tmpl new revision: 1.21.2.2; previous revision: 1.21.2.1 done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 7•15 years ago
|
||
Removing this bug from the security group, as the Security Advisory was sent (bug 468249)
Group: bugzilla-security
Assignee | ||
Updated•15 years ago
|
Flags: testcase?
Assignee | ||
Comment 9•13 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/4.2/ modified t/test_security.t Committed revision 208. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/4.0/ modified t/test_security.t Committed revision 197. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/3.6/ modified t/test_security.t Committed revision 155.
Flags: testcase? → testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•