Closed Bug 213384 Opened 18 years ago Closed 18 years ago

shutdownhtml login bypass via editparams.cgi is broken under suexec


(Bugzilla :: Administration, task)

Not set



Bugzilla 2.16


(Reporter: syssrini, Assigned: goobix)


(Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5])


(1 file, 1 obsolete file)

User-Agent:       Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Build Identifier:

I changed shutdownhtml parameter ,and then Logged out of Admin. Now when i try 
to get into Admin, it says Bugzilla is currently down for me too...Tell me a 
way to login as Admin and fix it...

Reproducible: Always

Steps to Reproduce:
1.Login as admin
2.change the shutdown html parameter
3.Log out of Admin

Actual Results:  
I got locked out....

Expected Results:  
Let me login as Admin and fix it..

Go directly to http://yourbugzilla/editparams.cgi

That's the only page that will work when shutdownhtml is in place.

In the future please post support questions to the mozilla-webtools mailing list
(  This is not a bug.
Closed: 18 years ago
Resolution: --- → INVALID
Login to http://yourbugzilla/editparams.cgi does not work if the Apache uses the
suexec mechanism.

Reason: uses this line:

if (Param("shutdownhtml") && $0 !~ m:[\\/](do)?editparams.cgi$:)

On my system (Bugzilla 2.17.4, Apache 1.3.27 with suexec enabled, chrooted), if
Apache does not use the suexec mechanism then $0 contains

But if suexec is enabled then $0 contains only "editparams.cgi" and the
condition does not work.

Changing the condition to

if (Param("shutdownhtml") && $0 !~ m:(do)?editparams.cgi$:) {

seems to work, but somebody please check this, as I am unfamiliar with this m:

Many commercial web hosters use Apache with the suexec mechanism, so I believe
this is in fact a problem and this is a valid bug. Please reopen.
OK, I'll buy that.
Resolution: INVALID → ---
Summary: I used shutdownhtml parameter from Admin and logged out of Admin myself → shutdownhtml login bypass via editparams.cgi is broken under suexec
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Component: Bugzilla-General → Administration
Attached patch Patch (obsolete) — Splinter Review
Attachment #131735 - Flags: review?(kiko)
>> I am unfamiliar with this m: thing.

m:something: is similar with m/something/ just that you don't need to worry
about escaping the "/" char.
Assignee: justdave → jocuri
Do we need a patch in the 2.16 branch as well?
Comment on attachment 131735 [details] [diff] [review]

Does it make sense to keep the (do)? there, if nothing comes before it?
Attachment #131735 - Flags: review?(kiko) → review-
Regarding attachment 131735 [details] [diff] [review]:

m:(^|[\\/])(do)?editparams\.cgi$: is probably what's wanted there.

That restricts it to only the doeditparams.cgi and editparams.cgi files,
(and not also xyzzy-editparams.cgi, e.g.) and works whether or not the
full path is given.
Attached patch Patch ver 2Splinter Review
Yeap, I thought about that; I did a "ls -R *editparams.cgi" in the bugzilla dir
and the only files matching that were those 2. But yeah, it's better to prevent
other files from being regexped in the future.

Also, it seems the dot in ".cgi" forgot to be escaped as well.
Attachment #131735 - Attachment is obsolete: true
Attachment #131786 - Flags: review?(kiko)
Arne, srini -- can you confirm this patch fixes the problem for you?
Attachment #131786 [details] [diff] works in my environment.
Comment on attachment 131786 [details] [diff] [review]
Patch ver 2

Attachment #131786 - Flags: review?(kiko) → review+
Flags: approval?
Flags: approval? → approval+
Target Milestone: --- → Bugzilla 2.18
Target --> 2.16
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Does this apply to both branches?
ok, approved for both 2.16 branch and trunk on the basis of being a low-risk
usability fix.  In the future ask first ;)
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5]
ok :), didn't know that changing target requires approval ;-)
Checking in;
/cvsroot/mozilla/webtools/bugzilla/,v  <--
new revision:; previous revision:

Checking in;
/cvsroot/mozilla/webtools/bugzilla/,v  <--
new revision: 1.206; previous revision: 1.205
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.