As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 434801 - [SECURITY] .htaccess doesn't prevent reading old-params.txt from the web
: [SECURITY] .htaccess doesn't prevent reading old-params.txt from the web
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Installation & Upgrading (show other bugs)
: 3.1.4
: All All
: -- normal (vote)
: Bugzilla 3.4
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
:
Mentors:
: 534798 (view as bug list)
Depends on:
Blocks: 532517
  Show dependency treegraph
 
Reported: 2008-05-20 10:35 PDT by Frédéric Buclin
Modified: 2010-01-31 19:07 PST (History)
4 users (show)
LpSolit: approval+
LpSolit: blocking3.6+
LpSolit: approval3.4+
LpSolit: blocking3.4.5+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (tip) (1.96 KB, patch)
2009-12-14 20:43 PST, Reed Loden [:reed] (use needinfo?)
mkanat: review-
Details | Diff | Splinter Review
patch - v2 (tip) (3.62 KB, patch)
2009-12-30 16:21 PST, Reed Loden [:reed] (use needinfo?)
mkanat: review+
Details | Diff | Splinter Review
patch - v3 (tip) (3.74 KB, patch)
2009-12-31 08:40 PST, Reed Loden [:reed] (use needinfo?)
no flags Details | Diff | Splinter Review
patch - v3 (tip) (3.62 KB, patch)
2009-12-31 08:40 PST, Reed Loden [:reed] (use needinfo?)
reed: review+
Details | Diff | Splinter Review
patch - v1 (3.4 branch) (3.59 KB, patch)
2009-12-31 11:44 PST, Reed Loden [:reed] (use needinfo?)
mkanat: review+
Details | Diff | Splinter Review

Description User image Frédéric Buclin 2008-05-20 10:35:31 PDT
When a parameter becomes obsolete, checksetup.pl automatically moves it into old-params.txt. If you have an old enough installation, or if you have customized your installation with your own parameters and some of these parameters are no longer in use, they will become publicly accessible from the web as .htaccess doesn't protect old-params.txt. This may be a problem if some parameters contain sensitive data (such as passwords), e.g. smtp_password and smtp_username (assuming they become obsolete one day).

.htaccess needs to be updated to protect old-params.txt.
Comment 1 User image Frédéric Buclin 2009-11-25 17:09:53 PST
Bugzilla 3.2 is restricted to security bugs only. Moreover, this bug is either assigned to nobody or got no traction for several months now. Rather than retargetting it at each new release, I'm clearing the target milestone and the bug will be retargetted to some sensible release when someone starts fixing this bug for real (Bugzilla 3.8 more likely).
Comment 2 User image Reed Loden [:reed] (use needinfo?) 2009-12-14 20:41:11 PST
*** Bug 534798 has been marked as a duplicate of this bug. ***
Comment 3 User image Reed Loden [:reed] (use needinfo?) 2009-12-14 20:43:05 PST
Created attachment 417617 [details] [diff] [review]
patch - v1 (tip)

Patch from bug 534798.
Comment 4 User image Max Kanat-Alexander 2009-12-15 13:16:22 PST
Comment on attachment 417617 [details] [diff] [review]
patch - v1 (tip)

I just checked in _rename_file, so you can use that instead, and it should probably be in Bugzilla/Install/FileSystem if possible. Look at how we do it for data/mailer.testfile on 3.4 tip and trunk.
Comment 5 User image Max Kanat-Alexander 2009-12-15 13:40:23 PST
Also, what security implications does this have? Has there ever been a parameter moved into that file that would contain confidential information?
Comment 6 User image Frédéric Buclin 2009-12-15 13:45:18 PST
(In reply to comment #5)
> Also, what security implications does this have? Has there ever been a
> parameter moved into that file that would contain confidential information?

Not yet, which is why I didn't restrict the bug to the security group when I reported it last year. IMO, it's rather a "good to fix" bug than a real security one.
Comment 7 User image Reed Loden [:reed] (use needinfo?) 2009-12-15 13:59:50 PST
(In reply to comment #6)
> (In reply to comment #5)
> > Also, what security implications does this have? Has there ever been a
> > parameter moved into that file that would contain confidential information?
> 
> Not yet, which is why I didn't restrict the bug to the security group when I
> reported it last year. IMO, it's rather a "good to fix" bug than a real
> security one.

Bug 314871 is considered a security issue, and it's even more trivial than this bug, so I definitely think this should be considered a security issue.
Comment 8 User image Reed Loden [:reed] (use needinfo?) 2009-12-30 16:21:59 PST
Created attachment 419624 [details] [diff] [review]
patch - v2 (tip)

Oops, I wrote this two weeks ago and forgot to attach it. :/
Comment 9 User image Max Kanat-Alexander 2009-12-31 02:26:01 PST
Comment on attachment 419624 [details] [diff] [review]
patch - v2 (tip)

  Looks fine. :-)

>Index: Bugzilla/Config.pm
>+    my $datadir = bz_locations()->{'datadir'};
>+    my $old_param_file = "$datadir/old-params.txt";
>     if (scalar(keys %oldparams)) {
>-        my $op_file = new IO::File('old-params.txt', '>>', 0600)
>-          || die "old-params.txt: $!";
>+        my $op_file = new IO::File($old_param_file, '>>', 0600)
>+          || die "Couldn't create old-params.txt file: $!";

  Error should contain $old_param_file instead of "old-params.txt".
Comment 10 User image Max Kanat-Alexander 2009-12-31 02:27:20 PST
I'm really of the opinion that this is not a security bug. Is there any research that shows that this could possibly actually expose something security-related from Bugzilla's history of parameters? As far as bug 314871, there is a possible security issue with it, as listed in the comments of that bug.
Comment 11 User image Reed Loden [:reed] (use needinfo?) 2009-12-31 08:40:12 PST
Created attachment 419686 [details] [diff] [review]
patch - v3 (tip)
Comment 12 User image Reed Loden [:reed] (use needinfo?) 2009-12-31 08:40:59 PST
Created attachment 419687 [details] [diff] [review]
patch - v3 (tip)

er, the real v3.
Comment 13 User image Reed Loden [:reed] (use needinfo?) 2009-12-31 08:45:37 PST
(In reply to comment #10)
> I'm really of the opinion that this is not a security bug. Is there any
> research that shows that this could possibly actually expose something
> security-related from Bugzilla's history of parameters?

Several of the parameters removed over the years have been free-form text fields. There's no way for us to know if such fields contain private/confidential information, and if they do, such information would be leaked via old-params.txt even if the Bugzilla instance itself is locked down in other ways. So, yes, this is an information leak security bug.
Comment 14 User image Reed Loden [:reed] (use needinfo?) 2009-12-31 11:44:43 PST
Created attachment 419695 [details] [diff] [review]
patch - v1 (3.4 branch)

Minor fuzz and one failed hunk from tip to 3.4, but same patch basically.
Comment 15 User image Max Kanat-Alexander 2010-01-01 10:09:37 PST
Comment on attachment 419695 [details] [diff] [review]
patch - v1 (3.4 branch)

Looks good. :-)
Comment 16 User image Reed Loden [:reed] (use needinfo?) 2010-01-26 00:54:35 PST
This will be classified under CVE-2009-3989.
Comment 17 User image Frédéric Buclin 2010-01-31 10:10:03 PST
Let's have it in our radar.
Comment 18 User image Frédéric Buclin 2010-01-31 16:50:28 PST
tip:

Checking in Bugzilla/Config.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config.pm,v  <--  Config.pm
new revision: 1.83; previous revision: 1.82
done
Checking in Bugzilla/Install/Filesystem.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm,v  <--  Filesystem.pm
new revision: 1.47; previous revision: 1.46
done


3.4.4:

Checking in Bugzilla/Config.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Config.pm,v  <--  Config.pm
new revision: 1.76.2.1; previous revision: 1.76
done
Checking in Bugzilla/Install/Filesystem.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm,v  <--  Filesystem.pm
new revision: 1.34.2.4; previous revision: 1.34.2.3
done
Comment 19 User image Max Kanat-Alexander 2010-01-31 19:07:54 PST
Security advisory sent, removing from security group.

Note You need to log in before you can comment on or make changes to this bug.