Closed Bug 343752 Opened 18 years ago Closed 18 years ago

The 'order' field in buglist.cgi is not properly parsed when using aliases

Categories

(Bugzilla :: Query/Bug List, defect)

2.20.1
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 2.22

People

(Reporter: bmc, Assigned: LpSolit)

References

()

Details

(Keywords: regression)

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3 Build Identifier: 2.22-stable $order is not properly validated before it is thunked into the SQL for the search query. This allows for SQL injection, though, a rather limited SQL injection. Reproducible: Always Steps to Reproduce: http://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?emailtype1=substring&email1=foo&emailreporter1=1&order=CASE%20WHEN%20map_assigned_to.realname%20%3D%20%27%27%20THEN%20map_assigned_to.login_name%20ELSE%20map_assigned_to.realname%20END%20AS%20assigned_to_realname Actual Results: On tip: Software error: DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_ass' at line 1 [for Statement "SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status, bugs.resolution, map_products.name, bugs.bug_severity, bugs.priority, bugs.op_sys, map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc, FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_assigned_to.userid) INNER JOIN products AS map_products ON (bugs.product_id = map_products.id) LEFT JOIN bug_group_map ON bug_group_map.bug_id = bugs.bug_id AND bug_group_map.group_id NOT IN (6,7) LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 15660 WHERE ((bugs.reporter IN (729,995,1014,1076,1552,1617,1663,1733,2061,2136,2358,2968,3045,3274,3430,4086,4275,4579,5113,5197,5246,5495,5843,6289,6901,7295,8100,8321,8443,9045,9245,9318,9438,9479,9620,10793,14421,14955,15198,15263,16077,16078,16617))) AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL) OR (bugs.reporter_accessible = 1 AND bugs.reporter = 15660) OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL) OR (bugs.assigned_to = 15660) OR (bugs.qa_contact = 15660) ) GROUP BY bugs.bug_id ORDER BY assigned_to_realname"] at /var/www/html/bugzilla-tip/buglist.cgi line 904 For help, please send mail to the webmaster (webmaster@bugzilla.org), giving this error message and the time and date of the error. On 2.22: Software error: DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_ass' at line 1 [for Statement "SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status, bugs.resolution, map_products.name, bugs.bug_severity, bugs.priority, bugs.rep_platform, map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc, FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_assigned_to.userid) INNER JOIN products AS map_products ON (bugs.product_id = map_products.id) INNER JOIN profiles AS map_reporter ON (bugs.reporter = map_reporter.userid) LEFT JOIN bug_group_map ON bug_group_map.bug_id = bugs.bug_id AND bug_group_map.group_id NOT IN (6,7) LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 12148 WHERE ((INSTR(CAST(LOWER(map_reporter.login_name) AS BINARY), CAST('bmc' AS BINARY)) > 0)) AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL) OR (bugs.reporter_accessible = 1 AND bugs.reporter = 12148) OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL) OR (bugs.assigned_to = 12148) OR (bugs.qa_contact = 12148) ) GROUP BY bugs.bug_id ORDER BY assigned_to_realname"] at /var/www/html/bugzilla-2.20-branch/buglist.cgi line 871 For help, please send mail to the webmaster (webmaster@bugzilla.org), giving this error message and the time and date of the error. Expected Results: The same error message that other sort errors give: The custom sort order specified in your form submission contains an invalid column name $FOO.
This does not seem to be the case. While the particular example causes an SQL error, hacking the order parameter to something else fails validation.
Attached patch patch, v1Splinter Review
When converting the column name to its ID, we were looking at the wrong place. The ID *is* in the keys of the hash, not in its values. There is no SQL injection here, only an empty string which is added to the SQL query, so that we get: SELECT foo1, foo2, FROM bugs ... instead of SELECT foo1, foo2, new_field FROM bugs ...
Assignee: query-and-buglist → LpSolit
Status: UNCONFIRMED → ASSIGNED
Attachment #228299 - Flags: review?(wurblzap)
This issue was introduced in bug 302326. Not a security bug.
Group: webtools-security
Severity: critical → normal
Keywords: regression
OS: Mac OS X 10.3 → All
Hardware: Macintosh → All
Summary: order not properly validated → The 'order' field in buglist.cgi is not properly parsed when using aliases
Target Milestone: --- → Bugzilla 2.22
Version: unspecified → 2.20.1
I'm afraid I'm on the completely wrong track when looking at this. I'd've thought I can reproduce this by looking at a bug list and clicking on an aliased column's header such as Reporter Real Name. But this works. What am I missing?
Marc, look at the URL field of this bug. Copy and paste it to your 2.22 and/or tip installation. Or use the link from comment 0. It's a good thing that the UI doesn't let you crash Bugzilla. As I said on IRC, you have to hack the URL directly to crash it.
Attachment #228299 - Flags: review?(wurblzap) → review+
Flags: approval?
Flags: approval2.22?
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval+
tip: Checking in buglist.cgi; /cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v <-- buglist.cgi new revision: 1.342; previous revision: 1.341 done 2.22: Checking in buglist.cgi; /cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v <-- buglist.cgi new revision: 1.325.2.2; previous revision: 1.325.2.1 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: