Note: There are a few cases of duplicates in user autocompletion which are being worked on.
Bug 417048 (CVE-2010-2756)

[SECURITY] Boolean charts let me query for users being in any given group

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
Query/Bug List
RESOLVED FIXED
10 years ago
7 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.19.1
Bugzilla 3.2
Dependency tree / graph
Bug Flags:
approval +
approval4.0 +
blocking4.0 +
approval3.6 +
blocking3.6.2 +
approval3.4 +
blocking3.4.8 +
approval3.2 +
blocking3.2.8 +

Details

Attachments

(3 attachments)

(Assignee)

Description

10 years ago
"ReportedBy" "is equals to" "%group.admin%" returns all bugs where the reporter is in the admin group, despite I'm not in the admin group and despite I cannot access editusers.cgi (as I cannot bless anybody). AFAIK, such data should be restricted to power users who can access editusers.cgi. Moreover, query.cgi throws an error if I type a group name which doesn't exist, so I can use this trick to guess existing groups.

IMO, query.cgi should only let you enter group names you belong to, nothing more. Talking about this with dveditz and justdave on IRC, they both think it's not a problem on b.m.o, because they don't matter if people know who is in which group, but it may matter for some other installations, which is why I restricting this bug to the security group.

The %group.foo% group substitution feature has been implemented in Bugzilla 2.20 in bug 244239, so this problem exists for a long time.

Comment 1

10 years ago
Yes, I agree this is a security issue, for some installations, though not extremely serious.
Target Milestone: --- → Bugzilla 2.20
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
(Assignee)

Comment 2

9 years ago
Bugzilla 2.20 is no longer supported. Retargetting to 2.22.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
(Assignee)

Comment 3

8 years ago
Bugzilla 2.x is no longer supported. Retargetting to 3.0.
Target Milestone: Bugzilla 2.22 → Bugzilla 3.0
(Assignee)

Comment 4

7 years ago
Bugzilla 3.0 is EOL. We will retarget this bug when it's fixed.
Target Milestone: Bugzilla 3.0 → ---
(Assignee)

Comment 5

7 years ago
Created attachment 456161 [details] [diff] [review]
patch for 3.4 - 4.0, v1

Restrict the usage of %group.foo% to groups you belong to. Group visibility is already handled by ValidateGroupName().
Assignee: query-and-buglist → LpSolit
Status: NEW → ASSIGNED
Attachment #456161 - Flags: review?(mkanat)

Updated

7 years ago
Attachment #456161 - Flags: review?(mkanat) → review+

Comment 6

7 years ago
  Once we branch, Search.pm is going to change pretty rapidly. I already know that the area around this patch will change with a patch that I already have pending checkin. But the patch should be un-bitrottable with little change.
Target Milestone: --- → Bugzilla 3.2

Updated

7 years ago
Flags: blocking3.6.2+
Flags: blocking3.2.8+
Flags: approval?
Flags: approval3.4+
(Assignee)

Updated

7 years ago
Flags: blocking4.0+
Flags: blocking3.4.8+
Flags: approval3.6?
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Summary: Boolean charts let me query for users being in any given group → [SECURITY] Boolean charts let me query for users being in any given group
(Assignee)

Comment 7

7 years ago
Created attachment 456168 [details] [diff] [review]
patch for 3.2, v1

Same patch as for 3.4 - 4.0, but fixed a tiny bitrot.
Attachment #456168 - Flags: review?(mkanat)

Updated

7 years ago
Attachment #456168 - Flags: review?(mkanat) → review+
(Assignee)

Updated

7 years ago
Flags: approval4.0?

Comment 8

7 years ago
It should be safe to re-write the patch for trunk now. The code moved into a different location than it is in 4.0, so the 4.0 patch won't apply.
(Assignee)

Updated

7 years ago
Attachment #456161 - Attachment description: patch, v1 → patch for 3.4 - 4.0, v1
(Assignee)

Updated

7 years ago
Depends on: 579797
(Assignee)

Comment 9

7 years ago
(In reply to comment #8)
> It should be safe to re-write the patch for trunk now.

Bug 579797 must be fixed first, as Search.pm now leaks too much information.

Comment 10

7 years ago
(In reply to comment #9)
> Bug 579797 must be fixed first, as Search.pm now leaks too much information.

  No, it does not, see my comment there. We decided that group names are no longer confidential in the guessing sense. That is, if you guess, we'll tell you explicitly whether or not they don't exist. If you want to have a technical discussion about this, we should do it on the developers list.
(Assignee)

Comment 11

7 years ago
Created attachment 458607 [details] [diff] [review]
patch for 4.2, v1
Attachment #458607 - Flags: review?(mkanat)

Comment 12

7 years ago
Comment on attachment 458607 [details] [diff] [review]
patch for 4.2, v1

Looks good.
Attachment #458607 - Flags: review?(mkanat) → review+
(Assignee)

Updated

7 years ago
Blocks: 580214
(Assignee)

Updated

7 years ago
Version: 3.1.3 → 2.19.1
Alias: CVE-2010-2756
(Assignee)

Updated

7 years ago
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
(Assignee)

Comment 13

7 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Search.pm
Committed revision 7428.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Search.pm
Committed revision 7369.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Search.pm
Committed revision 7157.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified Bugzilla/Search.pm
Committed revision 6771.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified Bugzilla/Search.pm
Committed revision 6392.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 14

7 years ago
Security advisory sent, unlocking bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.