allowuserdeletion security hole in edituser.cgi

RESOLVED FIXED in Bugzilla 2.16

Status

()

Bugzilla
User Accounts
RESOLVED FIXED
16 years ago
5 years ago

People

(Reporter: cholmes, Assigned: myk)

Tracking

2.14.1
Bugzilla 2.16
All
Linux

Details

(Whiteboard: applied to 2.14.2)

Attachments

(2 attachments)

(Reporter)

Description

16 years ago
If I'm a user with the ability to edit other users then I have the ability to
delete other users regardless of the allowuserdeletion parameter flag. I simply
select a user, then change 'edit' to 'del' in the URL.

This is due to two missing "exit;" lines in editusers.cgi. To find them do a
search for "PutTrailer" in editusers.cgi - after every occurence of PutTrailer
(except the definition) there should be an exit on the next line.

Cheers,
(Assignee)

Updated

16 years ago
Group: security?
Created attachment 81913 [details] [diff] [review]
Patch v.1

Fix, as suggested by reporter. I can confirm the bug, and that this fix
prevents it.

Gerv
(Assignee)

Comment 2

16 years ago
Comment on attachment 81913 [details] [diff] [review]
Patch v.1

Yup, that's the fix. 2xr=myk
Attachment #81913 - Flags: review+
Fixed. cholmes@cs.umass.edu - thank you very much for reporting this :-)

Checking in editusers.cgi;
/cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v  <--  editusers.cgi
new revision: 1.35; previous revision: 1.34
done

Gerv
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

16 years ago
This fix has been applied to b.m.o.
I just audited every instance of PutTrailer() in edit* - there are no other
instances where exit; is missing.

Gerv
Target Milestone: --- → Bugzilla 2.16
munging ccs

Comment 7

16 years ago
Created attachment 83024 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

another short one!
Comment on attachment 83024 [details] [diff] [review]
Backported patch for BUGZILLA-2_14_1-BRANCH

2xr=gerv.

Gerv
Attachment #83024 - Flags: review+

Comment 9

16 years ago
Checked in on BUGZILLA-2_14_1-BRANCH.
Whiteboard: applied to 2.14.2
Adding representatives of the packagers to bugs that are going into the
Bugzilla 2.14.2 security update
moving secure bugzilla/webtools bugs from mozilla security group to the new
bugzilla security group.
Group: security? → webtools-security?
2.14.2 is out, removing security group.
Group: webtools-security?
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.