The default bug view has changed. See this FAQ.

[SECURITY] Quips (adding/approving/deleting) lacks CSRF protection

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
Bugzilla-General
--
minor
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: reed, Assigned: Frédéric Buclin)

Tracking

(Blocks: 1 bug)

3.6.3
Bugzilla 3.2
Dependency tree / graph
Bug Flags:
approval +
approval4.0 +
blocking4.0 +
approval3.6 +
blocking3.6.4 +
approval3.4 +
blocking3.4.10 +
approval3.2 +
blocking3.2.10 +

Details

(Whiteboard: [infrasec:csrf][ws:moderate])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
quips.cgi has no CSRF protection.
(Assignee)

Comment 1

6 years ago
Quips are really an unimportant bit of Bugzilla. You cannot do any harm.
Severity: normal → minor
(Reporter)

Comment 2

6 years ago
Sure you can. You can add/approve/delete quips.
(Assignee)

Comment 3

6 years ago
Yes, exactly what I said: you cannot do any harm. Quips are unimportant and have no interaction with other bits of the Bugzilla code.
(Reporter)

Comment 4

6 years ago
I disagree with your assertion that you "cannot do any harm", and I think more than a few Bugzilla administrators would likewise disagree. Having the entire quips database deleted would definitely be harmful to Bugzilla users who actually use quips. Just because you don't use it doesn't mean it's not important to somebody else.
(Assignee)

Updated

6 years ago
Assignee: general → LpSolit
(Assignee)

Comment 5

6 years ago
Created attachment 499887 [details] [diff] [review]
patch for 4.1, v1
Attachment #499887 - Flags: review?(mkanat)
(Reporter)

Comment 6

6 years ago
Why hash tokens over session tokens here?
(Assignee)

Comment 7

6 years ago
(In reply to comment #6)
> Why hash tokens over session tokens here?

Because I'm not going to fill the DB with tokens when editing quips.
(Assignee)

Updated

6 years ago
Attachment #499887 - Flags: review?(mkanat) → review?(dkl)
(Reporter)

Updated

6 years ago
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
(Reporter)

Updated

6 years ago
Blocks: 620540
Comment on attachment 499887 [details] [diff] [review]
patch for 4.1, v1

Looks good and works as expected. r=dkl
Attachment #499887 - Flags: review?(dkl) → review+

Updated

6 years ago
Flags: approval?
Flags: approval4.0?
(Assignee)

Comment 9

6 years ago
Due to bug 398701 which landed on trunk only, I need to backport this patch on branches. A trivial change.
Status: NEW → ASSIGNED
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
Flags: approval4.0?
(Assignee)

Comment 10

6 years ago
Created attachment 506126 [details] [diff] [review]
patch for 3.2 - 4.0, v1

replace FILTER uri by FILTER url_quote. This patch works on all branches, from 3.2 to 4.0.
Attachment #506126 - Flags: review?(dkl)
Comment on attachment 506126 [details] [diff] [review]
patch for 3.2 - 4.0, v1

Looks good and works as expected. r=dkl
Attachment #506126 - Flags: review?(dkl) → review+

Updated

6 years ago
Flags: approval4.0?
Flags: approval3.6?
(Assignee)

Updated

6 years ago
Flags: approval3.4?
Flags: approval3.2?
(Assignee)

Updated

6 years ago
Attachment #499887 - Attachment description: patch, v1 → patch for 4.1, v1
(Assignee)

Updated

6 years ago
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
(Assignee)

Comment 13

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 7670.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 7527.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 7222.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 6789.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified quips.cgi
modified template/en/default/list/quips.html.tmpl
Committed revision 6410.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 14

6 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Hard to imagine anything to do with quips rating ws:high
Whiteboard: [infrasec:csrf][ws:high] → [infrasec:csrf][ws:moderate]

Updated

4 years ago
Blocks: 835424
You need to log in before you can comment on or make changes to this bug.