If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

MySQL injection vulnerability in editkeywords.cgi

RESOLVED FIXED in Bugzilla 2.16

Status

()

Bugzilla
Administration
RESOLVED FIXED
14 years ago
5 years ago

People

(Reporter: Vlad Dascalu, Assigned: Joel Peshkin)

Tracking

unspecified
Bugzilla 2.16
Bug Flags:
approval +

Details

(Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5], URL)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
Any user with the editkeywords priv can do MySQL injection attacks and find out
confidential information using direct access to the Bugzilla database.

For example, by clicking the URL of this bug,

http://bugzilla.mozilla.org/editkeywords.cgi?action=edit&id=1234567+union+select+login_name,cryptpassword+from+profiles

someone can find out the username and the cryptpassword of a user.

The issue is that the "ID" field is not validated before it's passed to the
SendSQL subroutine.
Whiteboard: [wanted for 2.16.5] [wanted for 2.17.6]
Target Milestone: --- → Bugzilla 2.16
(Reporter)

Comment 1

14 years ago
So a patch needs to be written againest the 2.16 branch.

What about a patch againest CVS Head? Are we waiting for the admin rewrite
thing, or it's worth fixing before that?
I'd just as soon do the rewrite (which I expect to happen soon) for 2.17. 
That's why I put 2.17.6 on it instead of 2.17.5
(Assignee)

Comment 3

14 years ago
Created attachment 134158 [details] [diff] [review]
Patch (both branches)

All we need to do is detain_natural the id
(Assignee)

Updated

14 years ago
Attachment #134158 - Flags: review?(justdave)
Whiteboard: [wanted for 2.16.5] [wanted for 2.17.6] → [wanted for 2.16.4] [wanted for 2.17.5]
Comment on attachment 134158 [details] [diff] [review]
Patch (both branches)

Patch applies cleanly to both branches.  Seems to do the trick.  Gives me
"Something screwy is going on here, please try again"
Attachment #134158 - Attachment description: Patch → Patch (both branches)
Attachment #134158 - Flags: review?(justdave)
Attachment #134158 - Flags: review?(bbaetz)
Attachment #134158 - Flags: review+
Attachment #134158 - Flags: review?(myk)

Comment 5

14 years ago
Comment on attachment 134158 [details] [diff] [review]
Patch (both branches)

r=zach
Attachment #134158 - Flags: review?(myk)
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5] → [ready for 2.16.4] [ready for 2.17.5]
Attachment #134158 - Flags: review?(bbaetz)
-> Patch author
Assignee: justdave → bugreport
Checked in on trunk:

Checking in editkeywords.cgi;
/cvsroot/mozilla/webtools/bugzilla/editkeywords.cgi,v  <--  editkeywords.cgi
new revision: 1.16; previous revision: 1.15
done
Flags: approval+
Whiteboard: [ready for 2.16.4] [ready for 2.17.5] → [ready for 2.16.4] [fixed in 2.17.5]
Checked in on 2.16 branch:

Checking in editkeywords.cgi;
/cvsroot/mozilla/webtools/bugzilla/editkeywords.cgi,v  <--  editkeywords.cgi
new revision: 1.9.2.2; previous revision: 1.9.2.1
done
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.4] [fixed in 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
Security advisory has been posted.
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.