Last Comment Bug 108385 - [security] Possible to add comments to a bug as someone else
: [security] Possible to add comments to a bug as someone else
applied to 2.14.1
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 2.15
: All All
P1 blocker (vote)
: Bugzilla 2.16
Assigned To: Dave Miller [:justdave] (
: default-qa
Depends on:
  Show dependency treegraph
Reported: 2001-11-03 21:01 PST by Bradley Baetz (:bbaetz)
Modified: 2012-12-18 20:46 PST (History)
7 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

Patch v1 - replace all $::FORM{'who'} with $::COOKIE{'Bugzilla_login'} (2.93 KB, patch)
2001-11-05 06:52 PST, Dave Miller [:justdave] (
jake: review+
jake: review+
Details | Diff | Splinter Review

Description User image Bradley Baetz (:bbaetz) 2001-11-03 21:01:30 PST
[filed in security group, if you're not there, you won't get mail until bmo is
upgraded, and I hope that this is fixed by then, anyway. myk, if you disagree,
then open it up]

So, theres this form element, $::FORM{'who'}. And its used as the "comment added
by" user. Problem is, the only check done is that the user exists in the db (by
quietly_check_login). theres no check that I am that actual user.

Why is this there? Obsolete, or does it have some purpose? I couldn't see where
we ever add an input element with a name of 'who'. If the form element isn't
there, we use the logged in user's id to grab the name.

Its easy to check that the username matches the logged in user, but I wonder if
it may be better to get rid of this stuff entirely. I need to find out why its
there first, though...

A user can manually edit the bugs page to spoof the comment - I'll comment as in a sec.

The only other thing which can be done by exploiting this is to change who
processmail thinks did the change, so if excludeSelf is set in the mail prefs,
you can make someone not get mail on a change you make. That ones minor, though.
Comment 1 User image Nobody; OK to take it and work on it 2001-11-03 21:07:53 PST
Hi, I'm nobody.
Comment 2 User image Jacob Steenhagen 2001-11-04 11:49:36 PST
My biggest question with this would be, is there any reason to ever need to call
AppendComment() to add a comment as a user other than the currently logged in
user?  If not, I think we need to just use $::userid from within the
AppendComment() routine rather than allow $who to be passed in.

We also need to get rid of the $::FORM{'who'} getting passed on the command line
of processmail.
Comment 3 User image Dave Miller [:justdave] ( 2001-11-05 06:27:20 PST
And note that sice b.m.o hasn't picked up the email/buglist for CC's on
confidential bugs stuff yet, most of the people on the CC list here have never
seen an email about this bug (myself included).  I only found it because it got
mentioned on the b.m.o upgrade bug.
Comment 4 User image Dave Miller [:justdave] ( 2001-11-05 06:52:07 PST
Created attachment 56552 [details] [diff] [review]
Patch v1 - replace all $::FORM{'who'} with $::COOKIE{'Bugzilla_login'}
Comment 5 User image Jacob Steenhagen 2001-11-05 07:19:30 PST
Comment on attachment 56552 [details] [diff] [review]
Patch v1 - replace all $::FORM{'who'} with $::COOKIE{'Bugzilla_login'}

It's identical to the patch I was about to attach after it was decided that we did
need the ability to add a comment as a user that isn't logged in (for bug moving
amoung other things).

Comment 6 User image Jacob Steenhagen 2001-11-05 08:54:12 PST
-> Patch author
Comment 7 User image Dave Miller [:justdave] ( 2001-11-05 12:51:49 PST
/cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v  <--  process_bug.cgi
new revision: 1.104; previous revision: 1.103
Comment 8 User image Dave Miller [:justdave] ( 2001-11-17 00:00:35 PST
This applied to the 2.14.1 branch with no changes.

/cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v  <--  process_bug.cgi
new revision:; previous revision: 1.96
Comment 9 User image Zach Lipton [:zach] 2001-11-17 09:20:33 PST
shouldn't this bug be closed out now?
Comment 10 User image Dave Miller [:justdave] ( 2001-11-17 09:30:03 PST
read the status.  it IS resolved.  I didn't reopen it, I just commented that the
patches had been checked into the 2.14.1 branch.
Comment 11 User image Dave Miller [:justdave] ( 2001-11-22 11:06:19 PST
Testing, ignore this.
Comment 12 User image Dave Miller [:justdave] ( 2001-12-10 17:27:06 PST
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment.  Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Comment 13 User image Mike Shaver (:shaver -- probably not reading bugmail closely) 2002-01-05 16:02:12 PST
Opening security bugs for which fixes have appeared in official bugzilla
release.  As per justdave and his posse.

Note You need to log in before you can comment on or make changes to this bug.