Closed
Bug 293159
Opened 19 years ago
Closed 19 years ago
[SECURITY] Anyone can change flags and access bug summaries due to a bad check in Flag::validate() and Flag::modify()
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
(Whiteboard: [does not affect 2.16.x] [ready for 2.18.2] [ready for 2.20])
Attachments
(2 files, 4 obsolete files)
14.21 KB,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
13.08 KB,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
Flag::validate() and Flag::modify() do not check that the flag ID one tries to change is consistent with the bug ID and/or attachment ID passed to the function. This way, we are able to access the summary of (almost) any bug which has flags set on it. It's very difficult to reproduce if you have no idea of flag IDs set on a given bug. The idea is the following: 1) hack the URL in order to have something like: process_bug.cgi?id=196&product=Bugzilla&component=...&flag-481=%3F&requestee-481=guest%40foo.com Here, the flag with ID = 481 is not related to the public bug 196 but is related to another (confidential) bug. But as the URL contains the bug ID of a public bug, neither process_bug.cgi nor Flag::validate() or Flag::modify() will complain as they all check if the user has access to the given bug or attachment based on the bug/attachement ID passed in the URL. 2) use the same URL as above, but change flag-481=%3F to flag-481=X. This way, you cancel the request and the requester (in our case: a bad guy) will receive an email that this request has been cancelled. But the email contains the summary of the bug!! <-- Oops!! Note that you have to use an existing flag which is either set to + or -, else this trick won't work (if the flag is not specifically requestable!). Note also that this does not work if you try to create a new flag using flag_type in the URL instead of flag, because the new flag would be created in the public bug (the one given in the URL). About this last comment, see also bug 266159.
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: blocking2.20?
Flags: blocking2.18.2?
Target Milestone: --- → Bugzilla 2.18
Updated•19 years ago
|
Flags: blocking2.20?
Flags: blocking2.20+
Flags: blocking2.18.2?
Flags: blocking2.18.2+
Whiteboard: [does not affect 2.16.x] [wanted for 2.18.2] [wanted for 2.20]
Assignee | ||
Comment 1•19 years ago
|
||
Attachment #184629 -
Flags: review?(myk)
Assignee | ||
Comment 2•19 years ago
|
||
Comment on attachment 184629 [details] [diff] [review] patch, v1 >+ [% ELSIF error == "invalid_flag_association" %] >+ [% title = "Invalid Flag Association" %] >+ Some flags do not belong to >+ [% IF attach_id %] >+ attachment [% attach_id FILTER html %]. >+ [% ELSE %] >+ [% terms.bug %] [%+ bug_id FILTER html %]. >+ [% END %] Note to self: it should be [%+ terms.bug %].
Assignee | ||
Comment 3•19 years ago
|
||
Now catch inactive flag types + fix some minor nits (mainly typos).
Attachment #184629 -
Attachment is obsolete: true
Attachment #184644 -
Flags: review?(myk)
Assignee | ||
Updated•19 years ago
|
Attachment #184629 -
Flags: review?(myk)
Comment 4•19 years ago
|
||
Comment on attachment 184644 [details] [diff] [review] patch, v2 Looks good. r=myk
Attachment #184644 -
Flags: review?(myk) → review+
Assignee | ||
Comment 5•19 years ago
|
||
Already requesting approval for the trunk. Give me a few hours to backport it to 2.18.1.
Flags: approval?
Assignee | ||
Comment 6•19 years ago
|
||
FlagType.pm uses requestee_type, not requestee (stupid copy paste). Carrying forward myk's r+ (use interdiff between v2 and v2.1 if you don't trust me).
Attachment #184644 -
Attachment is obsolete: true
Attachment #185962 -
Flags: review+
Assignee | ||
Comment 7•19 years ago
|
||
backport for the 2.18 branch. The code is a bit easier as 2.18 does not let you add flags when creating a new attachment.
Assignee | ||
Updated•19 years ago
|
Attachment #185974 -
Flags: review?(myk)
Comment 8•19 years ago
|
||
Comment on attachment 185974 [details] [diff] [review] patch for 2.18.1, v1 Looks good, r=myk
Attachment #185974 -
Flags: review?(myk) → review+
Comment 9•19 years ago
|
||
I missed this in my initial review, and it's nit, but if it's not too much trouble could you change "Edition of Flags" to "Flag Editing" upon check-in and then attach the patches with that update? The current syntax is technically valid but uncommon and considered clunky, and making this change in new patches on this bug would save having to deal with that minor issue in a separate bug.
Assignee | ||
Comment 10•19 years ago
|
||
ok, I will fix this nit on checkin. Patches ready for approval! :)
Flags: approval2.18?
Whiteboard: [does not affect 2.16.x] [wanted for 2.18.2] [wanted for 2.20] → [does not affect 2.16.x] [ready for 2.18.2] [ready for 2.20]
Updated•19 years ago
|
Severity: normal → critical
Version: 2.19.2 → 2.17
Assignee | ||
Comment 11•19 years ago
|
||
For further information about this bug, see my comment in bug 297749 comment 4.
Assignee | ||
Comment 12•19 years ago
|
||
myk's nit fixed + unbitrot
Attachment #185962 -
Attachment is obsolete: true
Attachment #188625 -
Flags: review+
Assignee | ||
Comment 13•19 years ago
|
||
myk's nit fixed.
Attachment #185974 -
Attachment is obsolete: true
Attachment #188626 -
Flags: review+
Updated•19 years ago
|
Flags: approval?
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Comment 14•19 years ago
|
||
Tip: Checking in attachment.cgi; /cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v <-- attachment.cgi new revision: 1.89; previous revision: 1.88 done Checking in process_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v <-- process_bug.cgi new revision: 1.263; previous revision: 1.262 done Checking in Bugzilla/Flag.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Flag.pm,v <-- Flag.pm new revision: 1.45; previous revision: 1.44 done Checking in Bugzilla/FlagType.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/FlagType.pm,v <-- FlagType.pm new revision: 1.19; previous revision: 1.18 done Checking in template/en/default/global/code-error.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/global/code-error.html.tmpl,v <-- code-error.html.tmpl new revision: 1.52; previous revision: 1.51 done 2.18: Checking in attachment.cgi; /cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v <-- attachment.cgi new revision: 1.58.2.6; previous revision: 1.58.2.5 done Checking in process_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v <-- process_bug.cgi new revision: 1.205.2.22; previous revision: 1.205.2.21 done Checking in Bugzilla/Flag.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Flag.pm,v <-- Flag.pm new revision: 1.18.2.7; previous revision: 1.18.2.6 done Checking in Bugzilla/FlagType.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/FlagType.pm,v <-- FlagType.pm new revision: 1.7.2.2; previous revision: 1.7.2.1 done Checking in template/en/default/global/code-error.html.tmpl; /cvsroot/mozilla/webtools/bugzilla/template/en/default/global/code-error.html.tmpl,v <-- code-error.html.tmpl new revision: 1.39.2.6; previous revision: 1.39.2.5 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Summary: Anyone can access bug summaries due to a bad check in Flag::validate() and Flag::modify() → [SECURITY] Anyone can change flags and access bug summaries due to a bad check in Flag::validate() and Flag::modify()
Comment 15•19 years ago
|
||
Removing from webtools-security because the advisory has been posted and the release is complete.
Group: webtools-security
You need to log in
before you can comment on or make changes to this bug.
Description
•