Closed
Bug 308256
Opened 19 years ago
Closed 19 years ago
[SECURITY] config.cgi doesn't check Param('requirelogin')
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
(Whiteboard: [ready for 2.18.4][ready for 2.20][ready for 2.21.1])
Attachments
(4 files, 1 obsolete file)
2.21 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
2.68 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
2.19 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
532 bytes,
patch
|
Details | Diff | Splinter Review |
Private installations use the 'requirelogin' parameter to prevent logged out users to access their DB (with the addition of preventing users to create new user accounts themselves or by limiting who can create new accounts), but config.cgi doesn't check whether this param is turned on, allowing anyone to access confidential information. If administrators think they are protected thanks to this parameter, it is possible that some or all of their products are not restricted to groups, making them publicly visible.
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: blocking2.20?
Flags: blocking2.18.4?
Target Milestone: --- → Bugzilla 2.18
Comment 1•19 years ago
|
||
"confidential information" in this case is not any bug content, but names of products, components, keywords, milestones, versions, etc. If the admin is limiting account creation and using requirelogin as the only means of preventing access (which is perfectly logical to do), it's quite logical to assume that there may be confidential product names that would be otherwise publicly visible were it not for requirelogin being set.
Flags: blocking2.20?
Flags: blocking2.20+
Flags: blocking2.18.4?
Flags: blocking2.18.4+
Assignee | ||
Comment 2•19 years ago
|
||
This patch applies on all branches >= 2.18 + tip.
Attachment #195827 -
Flags: review?(justdave)
Comment 3•19 years ago
|
||
Comment on attachment 195827 [details] [diff] [review] patch, v1 After applying the patch, Bugzilla prompts me to log in when I access config.cgi in my web browser if I am not already logged in and requirelogin is set. But config.cgi is intended for use by other applications, not end-users, and it outputs data in only JavaScript or RDF, so it needs to output something here that makes sense for applications which expect data in those formats. At a minimum, that would be an empty (but valid) JS or RDF file. Ideally, it is some method of identifying to the application that a login is required (but perhaps this should wait for a web services interface).
Attachment #195827 -
Flags: review?(justdave) → review-
Assignee | ||
Comment 4•19 years ago
|
||
I now use Bugzilla->login(LOGIN_OPTIONAL) to avoid the login screen, but we return empty fields if the user is not logged in already.
Attachment #195827 -
Attachment is obsolete: true
Attachment #195960 -
Flags: review?(myk)
Assignee | ||
Updated•19 years ago
|
Attachment #195960 -
Flags: review?(justdave)
Comment 5•19 years ago
|
||
Comment on attachment 195960 [details] [diff] [review] patch for 2.20, v2 Looks good, works correctly on landfill. I thought it might produce some warnings or something, but nope, it's all clean. :-)
Attachment #195960 -
Flags: review?(myk)
Attachment #195960 -
Flags: review?(justdave)
Attachment #195960 -
Flags: review+
Assignee | ||
Comment 6•19 years ago
|
||
Attachment #197332 -
Flags: review?
Comment 7•19 years ago
|
||
Comment on attachment 197332 [details] [diff] [review] patch for the tip, v2 This looks good and works properly. By the way, I'm slightly concerned that we expose "maintainer" to people who aren't logged in, but that's not as much of an issue as the primary one in this bug, yes?
Attachment #197332 -
Flags: review? → review+
Comment 8•19 years ago
|
||
Actually, I think that exposing maintainer by default is a good idea. We might want to have a way to disable that, though. If we decide to do that, the param controlling it should discourage admins from doing it.
Assignee | ||
Comment 9•19 years ago
|
||
Attachment #197340 -
Flags: review?
Assignee | ||
Updated•19 years ago
|
Whiteboard: [patch for 2.18.4 awaiting review][ready for 2.20][ready for 2.21.1]
Comment 10•19 years ago
|
||
Comment on attachment 197340 [details] [diff] [review] patch for 2.18.4 Looks good to me! :-) And works on landfill.
Attachment #197340 -
Flags: review? → review+
Updated•19 years ago
|
Flags: approval?
Flags: approval2.20?
Flags: approval2.18?
Assignee | ||
Updated•19 years ago
|
Whiteboard: [patch for 2.18.4 awaiting review][ready for 2.20][ready for 2.21.1] → [ready for 2.18.4][ready for 2.20][ready for 2.21.1]
Updated•19 years ago
|
Flags: approval?
Flags: approval2.20?
Flags: approval2.20+
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Assignee | ||
Comment 11•19 years ago
|
||
tip: Checking in config.cgi; /cvsroot/mozilla/webtools/bugzilla/config.cgi,v <-- config.cgi new revision: 1.12; previous revision: 1.11 done 2.20: Checking in config.cgi; /cvsroot/mozilla/webtools/bugzilla/config.cgi,v <-- config.cgi new revision: 1.8.4.1; previous revision: 1.8 done 2.18.4: Checking in config.cgi; /cvsroot/mozilla/webtools/bugzilla/config.cgi,v <-- config.cgi new revision: 1.5.2.1; previous revision: 1.5 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•19 years ago
|
Summary: config.cgi doesn't check Param('requirelogin') → [SECURITY] config.cgi doesn't check Param('requirelogin')
Comment 12•19 years ago
|
||
Checking-in this bug caused Bugzilla to stop working with perl 5.6.1. For some reason, removing "use diagnostics" from config.cgi fixes this. Discussed it on IRC, got r+ and a+ there for the fix. For some reason, 2.18 is not affected. It's probably some weird perl 5.6.1 bug. tip: Checking in config.cgi; /cvsroot/mozilla/webtools/bugzilla/config.cgi,v <-- config.cgi new revision: 1.13; previous revision: 1.12 done 2.20: Checking in config.cgi; /cvsroot/mozilla/webtools/bugzilla/config.cgi,v <-- config.cgi new revision: 1.8.4.2; previous revision: 1.8.4.1 done
Comment 13•19 years ago
|
||
OK, security advisory sent, removing this bug from the sec group.
Group: webtools-security
Assignee | ||
Comment 14•19 years ago
|
||
(In reply to comment #12) > Remove "use diagnostics" from config.cgi to fix regression Strange, 'use diagnostics' was already in the file.
Comment 15•19 years ago
|
||
(In reply to comment #14) > Strange, 'use diagnostics' was already in the file. I know. As I said, it was an extremely strange bug. The error output looked like an endless loop inside of the "use" statement. I was probably some strange conflict in perl 5.6.1 between one of our modules and the diagnostics.pm module, I'd guess.
Comment 16•19 years ago
|
||
This was assigned to very new http://www.securityfocus.com/bid/14995 entitled as "Bugzilla config.cgi Information Disclosure Vulnerability" now.
You need to log in
before you can comment on or make changes to this bug.
Description
•