Closed
Bug 754672
Opened 12 years ago
Closed 12 years ago
CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: laurens.bal, Assigned: reed)
References
Details
(Whiteboard: [infrasec:csrf][ws:low])
Attachments
(2 files, 1 obsolete file)
3.68 KB,
text/plain
|
Details | |
1.98 KB,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
Query.cgi is vulnerable to crsf. The checkbox "and remember these as my default search options " has no protection against an crsf attack.
Reporter | ||
Updated•12 years ago
|
Severity: normal → critical
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → query-and-buglist
Severity: critical → normal
Status: UNCONFIRMED → NEW
Component: General → Query/Bug List
Ever confirmed: true
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Whiteboard: [infrasec:csrf][ws:low]
Version: Current → 4.0.6
Assignee | ||
Comment 1•12 years ago
|
||
I believe this should do it. Since this is just a selection on the search knob, I generate a hash token for the entire knob, but I only check it if remtype == "asdefault". I think that's reasonable enough...
Assignee: query-and-buglist → reed
Status: NEW → ASSIGNED
Attachment #623524 -
Flags: review?(LpSolit)
Reporter | ||
Comment 2•12 years ago
|
||
Okay, thanks for reviewing the bugs. Laurens,
Updated•12 years ago
|
Severity: normal → minor
Comment 3•12 years ago
|
||
Laurens: thanks for reporting these bugs. Can you tell us how you are finding them? Code inspection? Or do you have a tool of some sort? Gerv
Reporter | ||
Comment 4•12 years ago
|
||
I was manually looking for "os injection" in the "advanced search" section. But then I found these csrf vulnerabilities by accident. Laurens,
Comment 6•12 years ago
|
||
Comment on attachment 623524 [details] [diff] [review] patch - v1 This looks good, but you should also protect nukedefaultquery in query.cgi. You can reuse the same token.
Attachment #623524 -
Flags: review?(LpSolit) → review-
Assignee | ||
Comment 7•12 years ago
|
||
(In reply to Frédéric Buclin from comment #6) > This looks good, but you should also protect nukedefaultquery in query.cgi. > You can reuse the same token. That's bug 754673.
Assignee | ||
Updated•12 years ago
|
Attachment #623524 -
Flags: review- → review?(LpSolit)
Comment 8•12 years ago
|
||
Comment on attachment 623524 [details] [diff] [review] patch - v1 >=== modified file 'template/en/default/search/knob.html.tmpl' >+<input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]"> To decrease the number of calls to issue_hash_token(), only call it if the user is logged in. Also, note that you will now get an error if you are not yet logged in when the "and remember these as my default search options" checkbox is checked. To mitigate this problem, I suggest that this checkbox is hidden when the user is logged out. This will also remove one checkbox from the already complex search form for logged out users. :)
Attachment #623524 -
Flags: review?(LpSolit) → review-
Assignee | ||
Comment 9•12 years ago
|
||
Attachment #623524 -
Attachment is obsolete: true
Attachment #627964 -
Flags: review?(LpSolit)
Comment 10•12 years ago
|
||
Comment on attachment 627964 [details] [diff] [review] patch - v2 r=LpSolit
Attachment #627964 -
Flags: review?(LpSolit) → review+
Comment 11•12 years ago
|
||
You can remove the sec flag once it's checked in.
Flags: approval4.2+
Flags: approval+
Target Milestone: --- → Bugzilla 4.2
Assignee | ||
Comment 12•12 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified buglist.cgi modified template/en/default/search/knob.html.tmpl Committed revision 8250. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/ modified buglist.cgi modified template/en/default/search/knob.html.tmpl Committed revision 8093.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Summary: CSRF: query.cgi - default search options → CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
You need to log in
before you can comment on or make changes to this bug.
Description
•