Closed Bug 1306589 Opened 9 years ago Closed 9 years ago

BMO: CSRF vulnerability allows deleting admin queue entries

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: dkl)

References

(
URL
)

Details

(Keywords: reporter-external, sec-low, wsec-csrf, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

1306589_1.patch
3.46 KB, patch
dylan
: review+
Details | Diff | Splinter Review
BMO has a Push extension providing some admin queues, e.g. the "Pending Queue" displays all objects created. If I were to attack Bugzilla, I would have some interest in clearing out these queues - and a CSRF vulnerability actually makes this possible. E.g. if you want to delete a message with ID 1 from the Pending Queue and you get a Bugzilla admin to visit your website you can add the following code to the page: <img src="https://buzilla.mozilla.org/page.cgi?id=push_queues_view.html&message=1&delete=1"> When a Bugzilla admin opens that page their browser will make a request to https://buzilla.mozilla.org/page.cgi?id=push_queues_view.html&message=1&delete=1 and cause the message to be deleted - there is no CSRF token, and this doesn't even need to be a POST request. There is a complication here of course, one needs to know the message ID. As the IDs are sequential, this is solvable however. A script on the page could just keep incrementing the ID, and it might be able to speed up the process via timing attacks - time to response should be different for valid and invalid IDs, which would allow finding the range with valid IDs relatively quickly.
Flags: sec-bounty?
Moving this into the Bugzilla space so that BMO folks can take a look at it.
Group: websites-security → bugzilla-security
Component: Other → General
Product: Websites → bugzilla.mozilla.org
Version: unspecified → Production
Status: NEW → UNCONFIRMED
Ever confirmed: false
Assignee: nobody → dkl
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
:dylan will be talking about what this particularly queue is, and why it's rated as sec-low. Thanks, Dylan! And nice find as always, Vlad. :)
Flags: needinfo?(dylan)
Keywords: sec-low, wsec-csrf
The only feasible queue to attack would be mozreview, and the window for the attack would be quite small, you would have on average 1 second. BMO as it currently runs *isn't fast enough* for this to be feasible, that number of requests would be a denial of service attack and would as a result be very noticeable. The benefit of the attack would be mozreview attachments for bugs that were retroactively made security bugs staying public. That is serious (although it would be smarter to just watch all mozreview patches and mark any that disappear as "interesting").
Flags: needinfo?(dylan)
Attached patch 1306589_1.patchSplinter Review
Attachment #8796659 - Flags: review?(dylan)
Comment on attachment 8796659 [details] [diff] [review] 1306589_1.patch r=dylan dkl++ for making this method="post" too
Attachment #8796659 - Flags: review?(dylan) → review+
Thanks. Waiting to commit once we are ready to push. dkl
The risk from this bug to BMO does not meet the bug bounty bar, but thank you for reporting it.
Flags: sec-bounty? → sec-bounty-
To https://github.com/mozilla-bteam/bmo.git 3078746..1257347 master -> master
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Can this bug be made visible?
Flags: needinfo?(dkl)
Yeah. Was waiting til it was released and then forgot after it was. dkl
Group: bugzilla-security
Flags: needinfo?(dkl)
Keywords: reporter-external
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: