Closed
Bug 108822
Opened 23 years ago
Closed 23 years ago
[security] Any user can change their groupset!
Categories
(Bugzilla :: User Accounts, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: bbaetz, Assigned: jacob)
References
Details
(Whiteboard: applied to 2.14.1)
Attachments
(1 file)
647 bytes,
patch
|
bbaetz
:
review+
myk
:
review+
|
Details | Diff | Splinter Review |
userprefs.cgi has:
SendSQL("UPDATE profiles SET mybugslink = '" . $::FORM{'mybugslink'} .
"' WHERE userid = $userid");
playing with the mybugslink value on the form lets you do:
value="1', groupset='9223372036854775807"
It needs to be sqlescaped.
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Assignee | ||
Comment 1•23 years ago
|
||
Assignee | ||
Comment 2•23 years ago
|
||
Yuck, that's nasty. Once we get everything running in taint mode, it that'll be
a lot harder to do (because we'd have to validate it before we could pass it off
to the SQL server [running it through SqlQuote counts as validation]).
Assignee: myk → jake
Assignee | ||
Updated•23 years ago
|
Reporter | ||
Comment 3•23 years ago
|
||
Comment on attachment 56879 [details] [diff] [review]
patch
r=bbaetz. My exploit no longer works
Should we validate that its 0 or 1? The code only cares about 0 or !0.
Attachment #56879 -
Flags: review+
Comment 4•23 years ago
|
||
Comment on attachment 56879 [details] [diff] [review]
patch
works. r=myk
Attachment #56879 -
Flags: review+
Comment 5•23 years ago
|
||
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi
new revision: 1.24; previous revision: 1.23
done
Comment 6•23 years ago
|
||
The patch has been checked in, so resolving fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•23 years ago
|
||
test mail after bz update.
Comment 8•23 years ago
|
||
This patch applied to the 2.14.1 branch with no changes.
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi
new revision: 1.20.2.1; previous revision: 1.20
Whiteboard: applied to 2.14.1
Comment 9•23 years ago
|
||
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment. Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Comment 10•23 years ago
|
||
Opening security bugs for which fixes have appeared in official bugzilla
release. As per justdave and his posse.
Group: security?
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•