Closed
Bug 1268989
Opened 8 years ago
Closed 8 years ago
Inefficient check of "Bugzilla_api_token" might lead to CSRF/data disclosure vulnerability in Bugzilla's REST API
Categories
(Bugzilla :: WebService, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 6.0
People
(Reporter: netfuzzerr, Assigned: dylan)
References
()
Details
(Keywords: regression, sec-high, wsec-disclosure)
Attachments
(2 files)
1.08 KB,
text/html
|
Details | |
1.54 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.19 Safari/537.36 Steps to reproduce: Hey, Bugzilla doesn't properly check the "Bugzilla_api_token" and as result of that allow attackers to obtain informations about a bug without proper authentification. PoC: https://bugzilla.mozilla.org/rest/bug?&include_fields=id,summary,status&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=netfuzzerr%40gmail.com&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&field0-0-0=bug_status&field0-0-1=reporter&type0-0-0=notequals&type0-0-1=equals&value0-0-0=UNCONFIRMED&value0-0-1=netfuzzerr%40gmail.com if you visit the above URL, you'll only see the public open reports that I have filed, now if you visit: https://bugzilla.mozilla.org/rest/bug?&include_fields=id,summary,status&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=netfuzzerr%40gmail.com&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&field0-0-0=bug_status&field0-0-1=reporter&type0-0-0=notequals&type0-0-1=equals&value0-0-0=UNCONFIRMED&value0-0-1=netfuzzerr%40gmail.com&Bugzilla_api_token In this second URL, you'll get the response including informations about the private bugs as well. This occurs 'cause "Bugzilla_api_token" is present but it is empty Let me know if you dont understand this bug and if it's necessary PoC demonstrating how this could be exploitable.
Reporter | ||
Comment 1•8 years ago
|
||
Keep in mind that I can "hijack" this informations through the "callback" parameter.
Assignee | ||
Comment 2•8 years ago
|
||
When I visit the second link, I get this: { "code" : 307, "documentation" : "http://www.bugzilla.org/docs/tip/en/html/api/", "error" : true, "message" : "The cookies or token provide were not valid or have expired. You may login again to get new cookies or a new token." }
Reporter | ||
Comment 3•8 years ago
|
||
when i visit it i get: { "bugs" : [ { "id" : 758907, "status" : "REOPENED", "summary" : "XSS via URL field when using \"open in new tab\"" }, { "id" : 1120074, "status" : "UNCONFIRMED", "summary" : "Bugzilla doesn't prevent local links to be used to log in" }, { "id" : 1268989, "status" : "UNCONFIRMED", "summary" : "unefficient check of \"Bugzilla_api_token\" might lead to CSRF/data disclosure vulnerability in Bugzilla's REST API" } ] }
Assignee | ||
Comment 4•8 years ago
|
||
If "Require API key authentication for API requests" is off, this can be exploited. The good news is that anyone with 2fa enabled gets "Require API key authentication for API requests" turned on. 1) callback= should be forbidden (it's there because jsonrpc had it, it is not an intentional feature 2) all users should be forced to have "Require API key authentication for API requests" turned on
Assignee | ||
Comment 5•8 years ago
|
||
Using https://bugzilla.mozilla.org/page.cgi?id=group_members.html, all users without Duo or TOTP, or with (Weakened) after the 2nd factor auth are vulnerable to this bug.
Assignee | ||
Comment 6•8 years ago
|
||
the callback= parameter does not show up in the user_request_log, however it does show up in the syslogs. I took a preliminary look and I see a few suspicious entries, but they look like someone playing around with this rather than trying to ex-filtrate information. Do we want to force on "Require API key authentication for API requests" for all users as a precaution?
Flags: needinfo?(mcote)
Flags: needinfo?(dveditz)
Comment 7•8 years ago
|
||
That's probably going to break some apps, but if this is serious I'm okay with that. We wanted to do this at some point anyway; maybe now is the time. There has been plenty of time for people to switch their apps over to using API keys.
Flags: needinfo?(mcote)
Comment 8•8 years ago
|
||
Are you talking about bmo or Bugzilla in general?
Reporter | ||
Comment 9•8 years ago
|
||
I have created a simple PoC that demonstrate this vulnerability.
Reporter | ||
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Summary: unefficient check of "Bugzilla_api_token" might lead to CSRF/data disclosure vulnerability in Bugzilla's REST API → Inefficient check of "Bugzilla_api_token" might lead to CSRF/data disclosure vulnerability in Bugzilla's REST API
Updated•8 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Mario Gomes from comment #9) > Created attachment 8747491 [details] > Proof of Concept(Poc) - Works only in Firefox > > I have created a simple PoC that demonstrate this vulnerability. Thanks, but I already confirmed the vulnerability in comment 4.
Assignee | ||
Updated•8 years ago
|
Assignee: general → dylan
Assignee | ||
Comment 11•8 years ago
|
||
Likely impacts both 5.0.x and master. Workarounds: disable api token auth for JSONP?
Version: unspecified → 5.0
Assignee | ||
Comment 12•8 years ago
|
||
Currently suspect this was introduced by bug 1139257
Assignee | ||
Comment 13•8 years ago
|
||
Hmm, nope. I think maybe bug 1192687.
Assignee | ||
Comment 14•8 years ago
|
||
Actually, it was probably bug 1139257. I have a working patch for bmo, working on testing upstream 5.0 now.
Comment 15•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #14) > Actually, it was probably bug 1139257. I have a working patch for bmo, > working on testing upstream 5.0 now. If it's 1139257, then 5.0 is not affected. Also, if you can reproduce this bug, then mark the bug as such (either NEW or ASSIGNED).
Assignee | ||
Comment 16•8 years ago
|
||
Yes, it was the patch in bug 1139257. All that is left is to check master.
Version: 5.0 → 5.1
Assignee | ||
Updated•8 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 17•8 years ago
|
||
This is also a problem for the master branch. This bug cannot be public yet because it impacts bmo.
Assignee | ||
Comment 18•8 years ago
|
||
This is the same patch as for bmo -- both seem to work.
Attachment #8747569 -
Flags: review?(dkl)
Comment 19•8 years ago
|
||
Comment on attachment 8747569 [details] [diff] [review] 1268989_2.patch Review of attachment 8747569 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8747569 -
Flags: review?(dkl) → review+
Updated•8 years ago
|
Component: Bugzilla-General → WebService
Target Milestone: --- → Bugzilla 6.0
Reporter | ||
Comment 20•8 years ago
|
||
What would be the appropriate security-rate for this bug?
Comment 21•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git c3b2af3..64df9b7 master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high,
wsec-disclosure
You need to log in
before you can comment on or make changes to this bug.
Description
•