508189 - (CVE-2009-3166) [SECURITY] Logging in after resetting your password exposes your new password in the URL

Status: RESOLVED FIXED

(Bugzilla :: User Accounts, defect)

Description

[Max Kanat-Alexander]

For some reason or another, when I log in after changing my password on token.cgi, my password is shown in the URL. This isn't a major issue, but something that we should fix for sure.

Comment 1

[Frédéric Buclin]

I'm pretty sure this is due to bug 502641, meaning that 3.4rc1 and above are affected.

Comment 2

[Frédéric Buclin]

(In reply to comment #1)
> I'm pretty sure this is due to bug 502641

Hum, no. Backing out this patch didn't change anything.

Comment 3

[Frédéric Buclin]

Note that token.cgi should redirect you to index.cgi anyway, as trying to log in while viewing this page throws an error due to an invalid token. This would also fix this bug.

Comment 4

[Max Kanat-Alexander]

Attachment: v1 - Branch

This fixes the issue on the branch.

There is, however, a more significant problem, which is that $cgi->query_string is returning POST variables when it really shouldn't be. So I have to figure out what to do about that. However, that may be something we only fix on trunk, it being a risky and large change to the behavior of CGI.pm. (But it may be causing other bugs on the branch, so we might have to fix it on the branch too.)

Comment 5

[Frédéric Buclin]

Comment on attachment 396909 [details] [diff] [review]
v1 - Branch

Tested on tip, works fine. r=LpSolit

Comment 6

[Max Kanat-Alexander]

tip:

Checking in token.cgi;
/cvsroot/mozilla/webtools/bugzilla/token.cgi,v  <--  token.cgi
new revision: 1.64; previous revision: 1.63
done

3.4:

Checking in token.cgi;
/cvsroot/mozilla/webtools/bugzilla/token.cgi,v  <--  token.cgi
new revision: 1.60.2.3; previous revision: 1.60.2.2
done

Comment 7

[Max Kanat-Alexander]

Security advisory sent, unlocking bug.

Comment 8

[Robin H. Johnson [:robbat2]]

This has just showed up 2.22 as well:
http://bugs.gentoo.org/show_bug.cgi?id=308897

CVE-2009-3166 said "Versions:    3.4rc1 to 3.4.1", so that CVE needs an update, and the patch back-ported.

Comment 9

[Reed Loden [:reed]]

(In reply to comment #8)
> This has just showed up 2.22 as well:
> http://bugs.gentoo.org/show_bug.cgi?id=308897
> 
> CVE-2009-3166 said "Versions:    3.4rc1 to 3.4.1", so that CVE needs an update,
> and the patch back-ported.

No, Bugzilla 2.22.x has been end-of-life'd since July 2009 and is completely unsupported. If you're still using Bugzilla 2.22.x, you're vulnerable to numerous security problems, and you should upgrade to the latest stable version of Bugzilla immediately.

Comment 10

[Reed Loden [:reed]]

However, we should ensure 3.0.x and 3.2.x are not affected by this bug, especially if 2.22.x is affected.

Comment 11

[Reed Loden [:reed]]

Nom'ing for blocking just to ensure this gets tested on 3.2.x and 3.0.x.

Comment 12

[Reed Loden [:reed]]

(In reply to comment #3)
> Note that token.cgi should redirect you to index.cgi anyway, as trying to log
> in while viewing this page throws an error due to an invalid token.

Indeed, see also bug 549814 and bug 398879.

(In reply to comment #4)
> There is, however, a more significant problem, which is that $cgi->query_string
> is returning POST variables when it really shouldn't be. So I have to figure
> out what to do about that. However, that may be something we only fix on trunk,
> it being a risky and large change to the behavior of CGI.pm. (But it may be
> causing other bugs on the branch, so we might have to fix it on the branch
> too.)

Filed this as bug 551651.

Comment 13

[Max Kanat-Alexander]

  Okay, so, it would be impossible to produce this bug before 3.4, because there was no way to log in on token.cgi itself. So anything that Gentoo is experiencing is some different bug, possibly specific to 2.22, which is EOL.