Backport upstream bug 1230932 to bmo/4.2 to fix providing a condition as an ID to the webservice results in a taint error

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
API
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: dkl, Assigned: dkl)

Tracking

Production

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

3 years ago
+++ This bug was initially created as a clone of Bug #1230932 +++

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

Hello,

My name is Netanel Rubin, I work as a vulnerability researcher at PerimeterX.

This is a critical vulnerability report for an issue I discovered in the Bugzilla platform. The successful exploitation of the vulnerability allows an attacker to successfully exploit an SQL Injection flaw assuming Taint Mode is disabled at the vulnerable script.

As a PoC, I've tested the vulnerability on your installation. It appears you have disabled Taint on jsonrpc.cgi (and possibly other pages), as the attack succeeded and I've managed to execute any SQL statement I wanted under a SELECT query.

I'm attaching the complete vulnerability report to this bug, as I learned from past experience this is your preferred method of communication.
Please assign a CVE number for this issue. We would also like to coordinate the public disclosure with you.

Best regards,
Netanel.
(Assignee)

Updated

3 years ago
No longer blocks: 1232203
(Assignee)

Updated

3 years ago
Assignee: nobody → dkl
Summary: Providing a condition as an ID to the webservice results in a taint error → Backport upstream bug 1230932 to bmo/4.2 to fix providing a condition as an ID to the webservice results in a taint error

Comment 1

3 years ago
Cloning bugs really shouldn't copy the CC list, IMO.
(In reply to Frédéric Buclin from comment #1)
> Cloning bugs really shouldn't copy the CC list, IMO.

I do agree.
(Assignee)

Comment 3

3 years ago
Created attachment 8700743 [details] [diff] [review]
1234325_1.patch

Can you review your work for me? :)
Attachment #8700743 - Flags: review?(dylan)
(Assignee)

Comment 4

3 years ago
(In reply to Frédéric Buclin from comment #1)
> Cloning bugs really shouldn't copy the CC list, IMO.

Yeah thanks for that. Normally I clear the cc list on cloned bugs and let the defaults get added. Forgot to do that this time.
I also agree than cloning should not automatically copy the full cc list.

dkl
Comment on attachment 8700743 [details] [diff] [review]
1234325_1.patch

Review of attachment 8700743 [details] [diff] [review]:
-----------------------------------------------------------------

missing validation for update_comment_tags
Attachment #8700743 - Flags: review?(dylan) → review-
(Assignee)

Comment 6

3 years ago
Created attachment 8700757 [details] [diff] [review]
1234325_2.patch
Attachment #8700743 - Attachment is obsolete: true
Attachment #8700757 - Flags: review?(dylan)
Comment on attachment 8700757 [details] [diff] [review]
1234325_2.patch

Review of attachment 8700757 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan
Attachment #8700757 - Flags: review?(dylan) → review+
(Assignee)

Comment 8

3 years ago
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4049782..1e7b400  master -> master
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.