Closed Bug 219044 Opened 21 years ago Closed 21 years ago

MySQL injection vulnerability in editkeywords.cgi

Categories

(Bugzilla :: Administration, task)

task
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: goobix, Assigned: bugreport)

References

()

Details

(Whiteboard: [fixed in 2.16.4] [fixed in 2.17.5])

Attachments

(1 file)

Any user with the editkeywords priv can do MySQL injection attacks and find out
confidential information using direct access to the Bugzilla database.

For example, by clicking the URL of this bug,

http://bugzilla.mozilla.org/editkeywords.cgi?action=edit&id=1234567+union+select+login_name,cryptpassword+from+profiles

someone can find out the username and the cryptpassword of a user.

The issue is that the "ID" field is not validated before it's passed to the
SendSQL subroutine.
Whiteboard: [wanted for 2.16.5] [wanted for 2.17.6]
Target Milestone: --- → Bugzilla 2.16
So a patch needs to be written againest the 2.16 branch.

What about a patch againest CVS Head? Are we waiting for the admin rewrite
thing, or it's worth fixing before that?
I'd just as soon do the rewrite (which I expect to happen soon) for 2.17. 
That's why I put 2.17.6 on it instead of 2.17.5
All we need to do is detain_natural the id
Attachment #134158 - Flags: review?(justdave)
Whiteboard: [wanted for 2.16.5] [wanted for 2.17.6] → [wanted for 2.16.4] [wanted for 2.17.5]
Comment on attachment 134158 [details] [diff] [review]
Patch (both branches)

Patch applies cleanly to both branches.  Seems to do the trick.  Gives me
"Something screwy is going on here, please try again"
Attachment #134158 - Attachment description: Patch → Patch (both branches)
Attachment #134158 - Flags: review?(justdave)
Attachment #134158 - Flags: review?(bbaetz)
Attachment #134158 - Flags: review+
Attachment #134158 - Flags: review?(myk)
Comment on attachment 134158 [details] [diff] [review]
Patch (both branches)

r=zach
Attachment #134158 - Flags: review?(myk)
Whiteboard: [wanted for 2.16.4] [wanted for 2.17.5] → [ready for 2.16.4] [ready for 2.17.5]
Attachment #134158 - Flags: review?(bbaetz)
-> Patch author
Assignee: justdave → bugreport
Checked in on trunk:

Checking in editkeywords.cgi;
/cvsroot/mozilla/webtools/bugzilla/editkeywords.cgi,v  <--  editkeywords.cgi
new revision: 1.16; previous revision: 1.15
done
Flags: approval+
Whiteboard: [ready for 2.16.4] [ready for 2.17.5] → [ready for 2.16.4] [fixed in 2.17.5]
Checked in on 2.16 branch:

Checking in editkeywords.cgi;
/cvsroot/mozilla/webtools/bugzilla/editkeywords.cgi,v  <--  editkeywords.cgi
new revision: 1.9.2.2; previous revision: 1.9.2.1
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.4] [fixed in 2.17.5] → [fixed in 2.16.4] [fixed in 2.17.5]
Security advisory has been posted.
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: