Closed Bug 108822 Opened 22 years ago Closed 22 years ago

[security] Any user can change their groupset!

Categories

(Bugzilla :: User Accounts, defect, P1)

Product:
Bugzilla
Component:
User Accounts
Version:
2.15
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: bbaetz, Assigned: jacob)

References

Details

(Whiteboard: applied to 2.14.1)

Attachments

(1 file)

patch
647 bytes, patch
bbaetz
: review+
myk
: review+
Details | Diff | Splinter Review 
userprefs.cgi has:

    SendSQL("UPDATE profiles SET mybugslink = '" . $::FORM{'mybugslink'} .
            "' WHERE userid = $userid");

playing with the mybugslink value on the form lets you do:

value="1', groupset='9223372036854775807"

It needs to be sqlescaped.
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Attached patch patchSplinter Review 

    
    

    
  
Yuck, that's nasty.  Once we get everything running in taint mode, it that'll be
a lot harder to do (because we'd have to validate it before we could pass it off
to the SQL server [running it through SqlQuote counts as validation]).
Assignee: myk → jake

    
  
Status: NEW → ASSIGNED
Keywords: patch, 
          
            review

    
    

    
  
Comment on attachment 56879 [details] [diff] [review]
patch

r=bbaetz. My exploit no longer works

Should we validate that its 0 or 1? The code only cares about 0 or !0.

        Attachment #56879 -
        Flags: review+

    
    

    
  
Comment on attachment 56879 [details] [diff] [review]
patch

works.  r=myk

        Attachment #56879 -
        Flags: review+

    
    

    
  
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.24; previous revision: 1.23
done


    
    

    
  
The patch has been checked in, so resolving fixed.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
test mail after bz update.

    
    

    
  
This patch applied to the 2.14.1 branch with no changes.

/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.20.2.1; previous revision: 1.20

Whiteboard: applied to 2.14.1

    
    

    
  
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment.  Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release

    
    

    
  
Opening security bugs for which fixes have appeared in official bugzilla
release.  As per justdave and his posse.
Group: security?
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.