Closed Bug 621110 Opened 13 years ago Closed 13 years ago

[SECURITY] Quips (adding/approving/deleting) lacks CSRF protection

Categories

(Bugzilla :: Bugzilla-General, defect)

3.6.3
defect
Not set
minor

Tracking

()

RESOLVED FIXED
Bugzilla 3.2

People

(Reporter: reed, Assigned: LpSolit)

References

Details

(Whiteboard: [infrasec:csrf][ws:moderate])

Attachments

(2 files)

quips.cgi has no CSRF protection.
Quips are really an unimportant bit of Bugzilla. You cannot do any harm.
Severity: normal → minor
Sure you can. You can add/approve/delete quips.
Yes, exactly what I said: you cannot do any harm. Quips are unimportant and have no interaction with other bits of the Bugzilla code.
I disagree with your assertion that you "cannot do any harm", and I think more than a few Bugzilla administrators would likewise disagree. Having the entire quips database deleted would definitely be harmful to Bugzilla users who actually use quips. Just because you don't use it doesn't mean it's not important to somebody else.
Assignee: general → LpSolit
Attachment #499887 - Flags: review?(mkanat)
Why hash tokens over session tokens here?
(In reply to comment #6)
> Why hash tokens over session tokens here?

Because I'm not going to fill the DB with tokens when editing quips.
Attachment #499887 - Flags: review?(mkanat) → review?(dkl)
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Blocks: 620540
Comment on attachment 499887 [details] [diff] [review]
patch for 4.1, v1

Looks good and works as expected. r=dkl
Attachment #499887 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.0?
Due to bug 398701 which landed on trunk only, I need to backport this patch on branches. A trivial change.
Status: NEW → ASSIGNED
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
Flags: approval4.0?
replace FILTER uri by FILTER url_quote. This patch works on all branches, from 3.2 to 4.0.
Attachment #506126 - Flags: review?(dkl)
Comment on attachment 506126 [details] [diff] [review]
patch for 3.2 - 4.0, v1

Looks good and works as expected. r=dkl
Attachment #506126 - Flags: review?(dkl) → review+
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
Flags: approval3.2?
Attachment #499887 - Attachment description: patch, v1 → patch for 4.1, v1
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 7670.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 7527.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 7222.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 6789.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 6410.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Hard to imagine anything to do with quips rating ws:high
Whiteboard: [infrasec:csrf][ws:high] → [infrasec:csrf][ws:moderate]
You need to log in before you can comment on or make changes to this bug.