Closed Bug 621572 (CVE-2010-4572) Opened 13 years ago Closed 13 years ago

[SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect

Categories

(Bugzilla :: Reporting/Charting, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: reed)

References

()

Details

(Whiteboard: [infrasec:xss][ws:critical])

Attachments

(1 file)

Found in chart.cgi:

    print "Location: query.cgi?format=" . $cgi->param('query_format') .
                                          ($params ? "&$params" : "") . "\n\n";

    print "Location: buglist.cgi" . ($params ? "?$params" : "") . "\n\n";

We should use $cgi->redirect instead.
This is another bug similar to bug 591165. Due to the use of Location:, header-injection is easily possible.
Assignee: charting → reed
Group: bugzilla-security
Severity: trivial → critical
Status: NEW → ASSIGNED
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Priority: -- → P1
Target Milestone: --- → Bugzilla 3.2
Whiteboard: [infrasec:xss][ws:critical]
Depends on: CVE-2010-2761
Summary: chart.cgi should use $cgi->redirect instead of print "Location:" → [SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect
Attached patch patch - v1Splinter Review
This should work, but should I be using |-uri => correct_urlbase() . "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or another throughout the codebase.
Attachment #499986 - Flags: review?(mkanat)
call this one CVE-2010-4572
Alias: CVE-2010-4572
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
(In reply to comment #2)
> This should work, but should I be using |-uri => correct_urlbase() .
> "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or
> another throughout the codebase.

http://search.cpan.org/~lds/CGI.pm-3.50/lib/CGI.pm#GENERATING_A_REDIRECTION_HEADER recommends to use full URL, not relative ones:

"You should always use full URLs (including the http: or ftp: part) in redirection requests. Relative URLs will not work correctly."
For now you should be using $cgi->url to generate a full URL, unless $cgi->redirect does that internally.
Blocks: 620540
Comment on attachment 499986 [details] [diff] [review]
patch - v1

Okay, this is actually what buglist.cgi does already, so this is fine.
Attachment #499986 - Flags: review?(mkanat) → review+
Flags: approval?
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
Flags: approval3.2?
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified chart.cgi
Committed revision 7673.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified chart.cgi
Committed revision 7530.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified chart.cgi
Committed revision 7223.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.4/
modified chart.cgi
Committed revision 6790.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.2/
modified chart.cgi
Committed revision 6411.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Security advisory sent. Removing the security flag.
Group: bugzilla-security
test.
You need to log in before you can comment on or make changes to this bug.