428285 - process_bug.cgi still prone to CSRF

Status: RESOLVED DUPLICATE of bug 26257

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[Ludwig Nussel]

User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko) SUSE
Build Identifier: 

process_bug.cgi is still prone to cross site request forgery as it does not use a token like other pages (see also bug 281181). That means a specially crafted URL can for example remove the privacy flag or add random people to private bugs' CC.

The problem was already mentioned in the long discussion around the quite old bug 26257 but not fixed in bugzilla 3.0.3 yet.

I'd also like to inform vendor-sec about this problem as several distributions ship bugzilla packages.

Reproducible: Always

Comment 1

[Frédéric Buclin]

This problem is known for a very long time. And as you said yourself, is already reported in bug 26257.

Comment 2

[Ludwig Nussel]

bug 281181 was not marked as duplicate but fixed as security issue. What about fixing this one as well?

Comment 3

[Frédéric Buclin]

(In reply to comment #2)
> bug 281181 was not marked as duplicate but fixed as security issue. What about
> fixing this one as well?

Bug 281181 is not about process_bug.cgi, but about admin pages. So it isn't a duplicate as they are not talking about the same pages. About process_bug.cgi, we have to find a way which won't break applications which interact with it and which do not expect a token to be passed to it (such as email_in.pl). That's why it's not fixed yet. We first need to find the correct way to fix it.

Comment 4

[Max Kanat-Alexander]

This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.