Bug 621572 (CVE-2010-4572)

[SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
Reporting/Charting
P1
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Frédéric Buclin, Assigned: reed)

Tracking

Bugzilla 3.2
Dependency tree / graph
Bug Flags:
approval +
approval4.0 +
blocking4.0 +
approval3.6 +
blocking3.6.4 +
approval3.4 +
blocking3.4.10 +
approval3.2 +
blocking3.2.10 +

Details

(Whiteboard: [infrasec:xss][ws:critical], URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Found in chart.cgi:

    print "Location: query.cgi?format=" . $cgi->param('query_format') .
                                          ($params ? "&$params" : "") . "\n\n";

    print "Location: buglist.cgi" . ($params ? "?$params" : "") . "\n\n";

We should use $cgi->redirect instead.
(Assignee)

Comment 1

7 years ago
This is another bug similar to bug 591165. Due to the use of Location:, header-injection is easily possible.
Assignee: charting → reed
Group: bugzilla-security
Severity: trivial → critical
Status: NEW → ASSIGNED
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Priority: -- → P1
Target Milestone: --- → Bugzilla 3.2
(Assignee)

Updated

7 years ago
Whiteboard: [infrasec:xss][ws:critical]
(Assignee)

Updated

7 years ago
Depends on: 591165
Summary: chart.cgi should use $cgi->redirect instead of print "Location:" → [SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect
(Assignee)

Comment 2

7 years ago
Created attachment 499986 [details] [diff] [review]
patch - v1

This should work, but should I be using |-uri => correct_urlbase() . "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or another throughout the codebase.
Attachment #499986 - Flags: review?(mkanat)
call this one CVE-2010-4572
Alias: CVE-2010-4572

Updated

7 years ago
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
(Reporter)

Comment 4

7 years ago
(In reply to comment #2)
> This should work, but should I be using |-uri => correct_urlbase() .
> "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or
> another throughout the codebase.

http://search.cpan.org/~lds/CGI.pm-3.50/lib/CGI.pm#GENERATING_A_REDIRECTION_HEADER recommends to use full URL, not relative ones:

"You should always use full URLs (including the http: or ftp: part) in redirection requests. Relative URLs will not work correctly."

Comment 5

7 years ago
For now you should be using $cgi->url to generate a full URL, unless $cgi->redirect does that internally.
(Reporter)

Updated

7 years ago
Blocks: 620540

Comment 6

7 years ago
Comment on attachment 499986 [details] [diff] [review]
patch - v1

Okay, this is actually what buglist.cgi does already, so this is fine.
Attachment #499986 - Flags: review?(mkanat) → review+

Updated

7 years ago
Flags: approval?
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
Flags: approval3.2?
(Reporter)

Updated

6 years ago
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
(Assignee)

Comment 7

6 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified chart.cgi
Committed revision 7673.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified chart.cgi
Committed revision 7530.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified chart.cgi
Committed revision 7223.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.4/
modified chart.cgi
Committed revision 6790.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.2/
modified chart.cgi
Committed revision 6411.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

6 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security
test.
You need to log in before you can comment on or make changes to this bug.