Closed Bug 308662 Opened 19 years ago Closed 19 years ago

[SECURITY] User matching bypasses 'usevisibilitygroups' restrictions

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.20
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: LpSolit, Assigned: bugreport)

References

Details

(Keywords: selenium, Whiteboard: [does not affect 2.18][ready for 2.20][ready for 2.21.1])

Attachments

(1 file)

Fix the query
913 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review 
When using substrings in User::match(), i.e. when user matching is in use with
the "search" mode activated, I am able to access user accounts I am not allowed
to see, despite 'usevisibilitygroups' is turned on. The "wildcards" mode seems
to work as expected, i.e. really restricts its search to user accounts I am
allowed to see.
Flags: blocking2.20?
Target Milestone: --- → Bugzilla 2.20
I'd actually rather move this particular sec bug to 2.20.1, as we will have
other known issues with usevisibilitygroups in 2.20, and I don't want to put off
2.20 forever.
Flags: blocking2.20? → blocking2.20.1+
Attached patch Fix the query โ€” โ€” Splinter Review 

  

  


Assignee: user-accounts → bugreport
Status: NEW → ASSIGNED

        Attachment #196168 -
        Flags: review?(LpSolit)

    
    

    
  
Comment on attachment 196168 [details] [diff] [review]
Fix the query

r=LpSolit for both the tip and 2.20.

  

  



        Attachment #196168 -
        Flags: review?(LpSolit) → review+

    
  
Flags: approval?
Flags: approval2.20?

    
  
Whiteboard: [does not affect 2.18][ready for 2.20][ready for 2.21.1]

    
    

    
  
This is a small enough change that it can block 2.20.

  

  


Flags: blocking2.20.1+ → blocking2.20+

    
  
Blocks: 309863
Flags: approval?
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+

    
    

    
  
tip:

Checking in Bugzilla/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v  <--  User.pm
new revision: 1.86; previous revision: 1.85
done

2.20:

Checking in Bugzilla/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v  <--  User.pm
new revision: 1.61.2.10; previous revision: 1.61.2.9
done


  

  


Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  
Summary: User matching bypasses 'usevisibilitygroups' restrictions → [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions

    
    

    
  
OK, security advisory sent, removing this bug from the security group.

  

  


Group: webtools-security

    
    

    
  
This was assigned to very new http://www.securityfocus.com/bid/14996 entitled as
"Bugzilla User-Matching Information Disclosure Vulnerability" now.

  

  



    
  
Flags: testcase+

    
  
Keywords: selenium

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: