Last Comment Bug 108822 - [security] Any user can change their groupset!
: [security] Any user can change their groupset!
Status: RESOLVED FIXED
applied to 2.14.1
:
Product: Bugzilla
Classification: Server Software
Component: User Accounts (show other bugs)
: 2.15
: x86 Linux
: P1 blocker (vote)
: Bugzilla 2.16
Assigned To: Jacob Steenhagen
: default-qa
:
Mentors:
Depends on:
Blocks: 103885
  Show dependency treegraph
 
Reported: 2001-11-07 00:02 PST by Bradley Baetz (:bbaetz)
Modified: 2012-12-18 20:46 PST (History)
6 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch (647 bytes, patch)
2001-11-07 06:54 PST, Jacob Steenhagen
bbaetz: review+
myk: review+
Details | Diff | Splinter Review

Description Bradley Baetz (:bbaetz) 2001-11-07 00:02:30 PST
userprefs.cgi has:

    SendSQL("UPDATE profiles SET mybugslink = '" . $::FORM{'mybugslink'} .
            "' WHERE userid = $userid");

playing with the mybugslink value on the form lets you do:

value="1', groupset='9223372036854775807"

It needs to be sqlescaped.
Comment 1 Jacob Steenhagen 2001-11-07 06:54:54 PST
Created attachment 56879 [details] [diff] [review]
patch
Comment 2 Jacob Steenhagen 2001-11-07 06:57:06 PST
Yuck, that's nasty.  Once we get everything running in taint mode, it that'll be
a lot harder to do (because we'd have to validate it before we could pass it off
to the SQL server [running it through SqlQuote counts as validation]).
Comment 3 Bradley Baetz (:bbaetz) 2001-11-07 08:19:04 PST
Comment on attachment 56879 [details] [diff] [review]
patch

r=bbaetz. My exploit no longer works

Should we validate that its 0 or 1? The code only cares about 0 or !0.
Comment 4 Myk Melez [:myk] [@mykmelez] 2001-11-07 15:27:14 PST
Comment on attachment 56879 [details] [diff] [review]
patch

works.  r=myk
Comment 5 Myk Melez [:myk] [@mykmelez] 2001-11-07 16:58:59 PST
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.24; previous revision: 1.23
done
Comment 6 Myk Melez [:myk] [@mykmelez] 2001-11-07 18:09:57 PST
The patch has been checked in, so resolving fixed.
Comment 7 Bradley Baetz (:bbaetz) 2001-11-08 00:50:35 PST
test mail after bz update.
Comment 8 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-17 00:29:01 PST
This patch applied to the 2.14.1 branch with no changes.

/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.20.2.1; previous revision: 1.20
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-12-10 17:27:02 PST
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment.  Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Comment 10 Mike Shaver (:shaver -- probably not reading bugmail closely) 2002-01-05 16:02:17 PST
Opening security bugs for which fixes have appeared in official bugzilla
release.  As per justdave and his posse.

Note You need to log in before you can comment on or make changes to this bug.