[SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches)

RESOLVED FIXED in Bugzilla 2.22

Status

()

Bugzilla
User Accounts
RESOLVED FIXED
9 years ago
5 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

({selenium})

Bugzilla 2.22
selenium
Bug Flags:
approval +
approval3.2 +
blocking3.2.1 +
approval3.0 +
blocking3.0.7 +
approval2.22 +
blocking2.22.7 +
testcase +

Details

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
If an HTML attachment contains an iframe pointing to userprefs.cgi, it can edit all your user + email prefs as well as your shared searches. userprefs.cgi should be protected by session tokens to prevent this kind of attack. Fortunately, these malicious attachments cannot change your password or your email address as your password is required.
Isn't this a duplicate or dependency of bug 26257?
(Assignee)

Comment 2

9 years ago
Not a dupe, no. Bug 26257 is about process_bug.cgi; this one is about userprefs.cgi. And we will probably use session tokens here, which is different from on-the-fly tokens used in bug 26257, so this bug doesn't depend on the other one.
(Assignee)

Comment 3

9 years ago
Created attachment 355877 [details] [diff] [review]
patch, v1
Assignee: user-accounts → LpSolit
Status: NEW → ASSIGNED
Attachment #355877 - Flags: review?(mkanat)
Comment on attachment 355877 [details] [diff] [review]
patch, v1

Simple but effective against few test cases I could think of. I'm sure this gives same level of protection to userprefs as our other session token protected actions already have.

Patch also doesn't prevent changing prefs, not even multiple times in a row. Overriding works except for password and email changes since old password gets lost. I don't think that matters since you can always just reload the enter form (and changing email before token expires isn't allowed either).

Since this is first non-edit*.cgi script that uses check_token_data and related admin/confirm-action.html.tmpl template the term "administrative form" in line 32 of that template might not be entirely accurate now. I'm not going to hold review for that, though.
Attachment #355877 - Flags: review?(mkanat) → review+
Flags: approval?
Flags: approval3.2?
Flags: approval3.0?
Flags: approval2.22?
Summary: Malicious attachments can change your user settings (user + email prefs, shared searches) → [SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches)
(Assignee)

Comment 5

9 years ago
Let's take it for 3.3.2 & co as it's ready.
Blocks: 468249
Flags: blocking3.2.1+
Flags: blocking3.0.7+
Flags: blocking2.22.7+
(Assignee)

Updated

9 years ago
Flags: approval?
Flags: approval3.2?
Flags: approval3.2+
Flags: approval3.0?
Flags: approval3.0+
Flags: approval2.22?
Flags: approval2.22+
Flags: approval+
(Assignee)

Comment 6

9 years ago
tip:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.126; previous revision: 1.125
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.31; previous revision: 1.30
done


3.2:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.120.2.2; previous revision: 1.120.2.1
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.30.2.1; previous revision: 1.30
done


3.0.6:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.112.2.5; previous revision: 1.112.2.4
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.27.2.1; previous revision: 1.27
done


2.22.6:

Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.95.2.1; previous revision: 1.95
done
Checking in template/en/default/account/prefs/prefs.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/account/prefs/prefs.html.tmpl,v  <--  prefs.html.tmpl
new revision: 1.21.2.2; previous revision: 1.21.2.1
done
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 7

9 years ago
Removing this bug from the security group, as the Security Advisory was sent (bug 468249)
Group: bugzilla-security
(Assignee)

Updated

9 years ago
Flags: testcase?
(Assignee)

Updated

7 years ago
Duplicate of this bug: 621104
(Assignee)

Comment 9

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/4.2/
modified t/test_security.t
Committed revision 208.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/4.0/
modified t/test_security.t
Committed revision 197.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/qa/3.6/
modified t/test_security.t
Committed revision 155.
Flags: testcase? → testcase+
(Assignee)

Updated

5 years ago
Keywords: selenium
You need to log in before you can comment on or make changes to this bug.