Closed
Bug 343752
Opened 18 years ago
Closed 18 years ago
The 'order' field in buglist.cgi is not properly parsed when using aliases
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.22
People
(Reporter: bmc, Assigned: LpSolit)
References
()
Details
(Keywords: regression)
Attachments
(1 file)
594 bytes,
patch
|
Wurblzap
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
Build Identifier: 2.22-stable
$order is not properly validated before it is thunked into the SQL for the search query. This allows for SQL injection, though, a rather limited SQL injection.
Reproducible: Always
Steps to Reproduce:
http://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?emailtype1=substring&email1=foo&emailreporter1=1&order=CASE%20WHEN%20map_assigned_to.realname%20%3D%20%27%27%20THEN%20map_assigned_to.login_name%20ELSE%20map_assigned_to.realname%20END%20AS%20assigned_to_realname
Actual Results:
On tip:
Software error:
DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_ass' at line 1 [for Statement "SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status, bugs.resolution, map_products.name, bugs.bug_severity, bugs.priority, bugs.op_sys, map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc, FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_assigned_to.userid) INNER JOIN products AS map_products ON (bugs.product_id = map_products.id) LEFT JOIN bug_group_map ON bug_group_map.bug_id = bugs.bug_id AND bug_group_map.group_id NOT IN (6,7) LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 15660 WHERE ((bugs.reporter IN (729,995,1014,1076,1552,1617,1663,1733,2061,2136,2358,2968,3045,3274,3430,4086,4275,4579,5113,5197,5246,5495,5843,6289,6901,7295,8100,8321,8443,9045,9245,9318,9438,9479,9620,10793,14421,14955,15198,15263,16077,16078,16617))) AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL) OR (bugs.reporter_accessible = 1 AND bugs.reporter = 15660) OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL) OR (bugs.assigned_to = 15660) OR (bugs.qa_contact = 15660) ) GROUP BY bugs.bug_id ORDER BY assigned_to_realname"] at /var/www/html/bugzilla-tip/buglist.cgi line 904
For help, please send mail to the webmaster (webmaster@bugzilla.org), giving this error message and the time and date of the error.
On 2.22:
Software error:
DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_ass' at line 1 [for Statement "SELECT bugs.bug_id, bugs.bug_severity, bugs.priority, bugs.bug_status, bugs.resolution, map_products.name, bugs.bug_severity, bugs.priority, bugs.rep_platform, map_assigned_to.login_name, bugs.bug_status, bugs.resolution, bugs.short_desc, FROM bugs INNER JOIN profiles AS map_assigned_to ON (bugs.assigned_to = map_assigned_to.userid) INNER JOIN products AS map_products ON (bugs.product_id = map_products.id) INNER JOIN profiles AS map_reporter ON (bugs.reporter = map_reporter.userid) LEFT JOIN bug_group_map ON bug_group_map.bug_id = bugs.bug_id AND bug_group_map.group_id NOT IN (6,7) LEFT JOIN cc ON cc.bug_id = bugs.bug_id AND cc.who = 12148 WHERE ((INSTR(CAST(LOWER(map_reporter.login_name) AS BINARY), CAST('bmc' AS BINARY)) > 0)) AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL) OR (bugs.reporter_accessible = 1 AND bugs.reporter = 12148) OR (bugs.cclist_accessible = 1 AND cc.who IS NOT NULL) OR (bugs.assigned_to = 12148) OR (bugs.qa_contact = 12148) ) GROUP BY bugs.bug_id ORDER BY assigned_to_realname"] at /var/www/html/bugzilla-2.20-branch/buglist.cgi line 871
For help, please send mail to the webmaster (webmaster@bugzilla.org), giving this error message and the time and date of the error.
Expected Results:
The same error message that other sort errors give:
The custom sort order specified in your form submission contains an invalid column name $FOO.
Comment 1•18 years ago
|
||
This does not seem to be the case. While the particular example causes an SQL error, hacking the order parameter to something else fails validation.
Assignee | ||
Comment 2•18 years ago
|
||
When converting the column name to its ID, we were looking at the wrong place. The ID *is* in the keys of the hash, not in its values.
There is no SQL injection here, only an empty string which is added to the SQL query, so that we get:
SELECT foo1, foo2, FROM bugs ...
instead of
SELECT foo1, foo2, new_field FROM bugs ...
Assignee: query-and-buglist → LpSolit
Status: UNCONFIRMED → ASSIGNED
Attachment #228299 -
Flags: review?(wurblzap)
Assignee | ||
Comment 3•18 years ago
|
||
This issue was introduced in bug 302326. Not a security bug.
Group: webtools-security
Severity: critical → normal
Keywords: regression
OS: Mac OS X 10.3 → All
Hardware: Macintosh → All
Summary: order not properly validated → The 'order' field in buglist.cgi is not properly parsed when using aliases
Target Milestone: --- → Bugzilla 2.22
Version: unspecified → 2.20.1
Assignee | ||
Updated•18 years ago
|
Comment 4•18 years ago
|
||
I'm afraid I'm on the completely wrong track when looking at this. I'd've thought I can reproduce this by looking at a bug list and clicking on an aliased column's header such as Reporter Real Name. But this works. What am I missing?
Assignee | ||
Comment 5•18 years ago
|
||
Marc, look at the URL field of this bug. Copy and paste it to your 2.22 and/or tip installation. Or use the link from comment 0. It's a good thing that the UI doesn't let you crash Bugzilla. As I said on IRC, you have to hack the URL directly to crash it.
Updated•18 years ago
|
Attachment #228299 -
Flags: review?(wurblzap) → review+
Updated•18 years ago
|
Flags: approval?
Flags: approval2.22?
Updated•18 years ago
|
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval+
Assignee | ||
Comment 6•18 years ago
|
||
tip:
Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v <-- buglist.cgi
new revision: 1.342; previous revision: 1.341
done
2.22:
Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v <-- buglist.cgi
new revision: 1.325.2.2; previous revision: 1.325.2.1
done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•