Last Comment Bug 141557 - allowuserdeletion security hole in edituser.cgi
: allowuserdeletion security hole in edituser.cgi
Status: RESOLVED FIXED
applied to 2.14.2
:
Product: Bugzilla
Classification: Server Software
Component: User Accounts (show other bugs)
: 2.14.1
: All Linux
: -- normal (vote)
: Bugzilla 2.16
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-05-01 12:58 PDT by cholmes
Modified: 2012-12-18 20:46 PST (History)
7 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch v.1 (768 bytes, patch)
2002-05-01 13:45 PDT, Gervase Markham [:gerv]
myk: review+
myk: review+
Details | Diff | Splinter Review
Backported patch for BUGZILLA-2_14_1-BRANCH (781 bytes, patch)
2002-05-10 03:10 PDT, J. Paul Reed [:preed]
gerv: review+
gerv: review+
Details | Diff | Splinter Review

Description cholmes 2002-05-01 12:58:39 PDT
If I'm a user with the ability to edit other users then I have the ability to
delete other users regardless of the allowuserdeletion parameter flag. I simply
select a user, then change 'edit' to 'del' in the URL.

This is due to two missing "exit;" lines in editusers.cgi. To find them do a
search for "PutTrailer" in editusers.cgi - after every occurence of PutTrailer
(except the definition) there should be an exit on the next line.

Cheers,
Comment 1 Gervase Markham [:gerv] 2002-05-01 13:45:05 PDT
Created attachment 81913 [details] [diff] [review]
Patch v.1

Fix, as suggested by reporter. I can confirm the bug, and that this fix
prevents it.

Gerv
Comment 2 Myk Melez [:myk] [@mykmelez] 2002-05-01 13:49:54 PDT
Comment on attachment 81913 [details] [diff] [review]
Patch v.1

Yup, that's the fix. 2xr=myk
Comment 3 Gervase Markham [:gerv] 2002-05-01 14:01:33 PDT
Fixed. cholmes@cs.umass.edu - thank you very much for reporting this :-)

Checking in editusers.cgi;
/cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v  <--  editusers.cgi
new revision: 1.35; previous revision: 1.34
done

Gerv
Comment 4 Myk Melez [:myk] [@mykmelez] 2002-05-01 14:20:07 PDT
This fix has been applied to b.m.o.
Comment 5 Gervase Markham [:gerv] 2002-05-01 14:24:14 PDT
I just audited every instance of PutTrailer() in edit* - there are no other
instances where exit; is missing.

Gerv
Comment 6 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-08 21:52:51 PDT
munging ccs
Comment 7 J. Paul Reed [:preed] 2002-05-10 03:10:39 PDT
Created attachment 83024 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

another short one!
Comment 8 Gervase Markham [:gerv] 2002-05-11 02:20:29 PDT
Comment on attachment 83024 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

2xr=gerv.

Gerv
Comment 9 J. Paul Reed [:preed] 2002-05-11 03:10:24 PDT
Checked in on BUGZILLA-2_14_1-BRANCH.
Comment 10 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-12 09:11:57 PDT
Adding representatives of the packagers to bugs that are going into the
Bugzilla 2.14.2 security update
Comment 11 Bradley Baetz (:bbaetz) 2002-05-15 22:30:04 PDT
moving secure bugzilla/webtools bugs from mozilla security group to the new
bugzilla security group.
Comment 12 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-06-08 00:01:10 PDT
2.14.2 is out, removing security group.

Note You need to log in before you can comment on or make changes to this bug.