shutdownhtml login bypass via editparams.cgi is broken under suexec

RESOLVED FIXED in Bugzilla 2.16

Status

()

task
--
blocker
RESOLVED FIXED
16 years ago
7 years ago

People

(Reporter: syssrini, Assigned: goobix)

Tracking

unspecified
Bugzilla 2.16
Bug Flags:
approval +

Details

(Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5])

Attachments

(1 attachment, 1 obsolete attachment)

716 bytes, patch
kiko
: review+
Details | Diff | Splinter Review
User-Agent:       Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Build Identifier: www.mozilla.org

I changed shutdownhtml parameter ,and then Logged out of Admin. Now when i try 
to get into Admin, it says Bugzilla is currently down for me too...Tell me a 
way to login as Admin and fix it...


Reproducible: Always

Steps to Reproduce:
1.Login as admin
2.change the shutdown html parameter
3.Log out of Admin

Actual Results:  
I got locked out....

Expected Results:  
Let me login as Admin and fix it..

--
Go directly to http://yourbugzilla/editparams.cgi

That's the only page that will work when shutdownhtml is in place.

In the future please post support questions to the mozilla-webtools mailing list
(http://www.bugzilla.org/discussion.html).  This is not a bug.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Login to http://yourbugzilla/editparams.cgi does not work if the Apache uses the
suexec mechanism.

Reason:

CGI.pl uses this line:

if (Param("shutdownhtml") && $0 !~ m:[\\/](do)?editparams.cgi$:)

On my system (Bugzilla 2.17.4, Apache 1.3.27 with suexec enabled, chrooted), if
Apache does not use the suexec mechanism then $0 contains
"/home/someuser/bugzilla/editparams.cgi".

But if suexec is enabled then $0 contains only "editparams.cgi" and the
condition does not work.


Changing the condition to

if (Param("shutdownhtml") && $0 !~ m:(do)?editparams.cgi$:) {

seems to work, but somebody please check this, as I am unfamiliar with this m:
thing.

Many commercial web hosters use Apache with the suexec mechanism, so I believe
this is in fact a problem and this is a valid bug. Please reopen.
OK, I'll buy that.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Summary: I used shutdownhtml parameter from Admin and logged out of Admin myself → shutdownhtml login bypass via editparams.cgi is broken under suexec
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Component: Bugzilla-General → Administration
Posted patch Patch (obsolete) — Splinter Review
Attachment #131735 - Flags: review?(kiko)
>> I am unfamiliar with this m: thing.

m:something: is similar with m/something/ just that you don't need to worry
about escaping the "/" char.
Assignee: justdave → jocuri
Status: NEW → ASSIGNED
Do we need a patch in the 2.16 branch as well?
Comment on attachment 131735 [details] [diff] [review]
Patch

Does it make sense to keep the (do)? there, if nothing comes before it?
Attachment #131735 - Flags: review?(kiko) → review-
Regarding attachment 131735 [details] [diff] [review]:

m:(^|[\\/])(do)?editparams\.cgi$: is probably what's wanted there.

That restricts it to only the doeditparams.cgi and editparams.cgi files,
(and not also xyzzy-editparams.cgi, e.g.) and works whether or not the
full path is given.
Posted patch Patch ver 2Splinter Review
Yeap, I thought about that; I did a "ls -R *editparams.cgi" in the bugzilla dir
and the only files matching that were those 2. But yeah, it's better to prevent
other files from being regexped in the future.

Also, it seems the dot in ".cgi" forgot to be escaped as well.
Attachment #131735 - Attachment is obsolete: true
Attachment #131786 - Flags: review?(kiko)
Arne, srini -- can you confirm this patch fixes the problem for you?
Attachment #131786 [details] [diff] works in my environment.
Comment on attachment 131786 [details] [diff] [review]
Patch ver 2

wonderful
Attachment #131786 - Flags: review?(kiko) → review+
Flags: approval?
Flags: approval? → approval+
Target Milestone: --- → Bugzilla 2.18
Target --> 2.16
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Does this apply to both branches?
Yes
ok, approved for both 2.16 branch and trunk on the basis of being a low-risk
usability fix.  In the future ask first ;)
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5]
ok :), didn't know that changing target requires approval ;-)
Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.153.2.5; previous revision: 1.153.2.4
done

Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.206; previous revision: 1.205
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.