Closed
Bug 621572
(CVE-2010-4572)
Opened 13 years ago
Closed 13 years ago
[SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect
Categories
(Bugzilla :: Reporting/Charting, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.2
People
(Reporter: LpSolit, Assigned: reed)
References
()
Details
(Whiteboard: [infrasec:xss][ws:critical])
Attachments
(1 file)
962 bytes,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
Found in chart.cgi: print "Location: query.cgi?format=" . $cgi->param('query_format') . ($params ? "&$params" : "") . "\n\n"; print "Location: buglist.cgi" . ($params ? "?$params" : "") . "\n\n"; We should use $cgi->redirect instead.
Assignee | ||
Comment 1•13 years ago
|
||
This is another bug similar to bug 591165. Due to the use of Location:, header-injection is easily possible.
Assignee: charting → reed
Group: bugzilla-security
Severity: trivial → critical
Status: NEW → ASSIGNED
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Priority: -- → P1
Target Milestone: --- → Bugzilla 3.2
Assignee | ||
Updated•13 years ago
|
Whiteboard: [infrasec:xss][ws:critical]
Assignee | ||
Updated•13 years ago
|
Depends on: CVE-2010-2761
Summary: chart.cgi should use $cgi->redirect instead of print "Location:" → [SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect
Assignee | ||
Comment 2•13 years ago
|
||
This should work, but should I be using |-uri => correct_urlbase() . "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or another throughout the codebase.
Attachment #499986 -
Flags: review?(mkanat)
Updated•13 years ago
|
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
Reporter | ||
Comment 4•13 years ago
|
||
(In reply to comment #2) > This should work, but should I be using |-uri => correct_urlbase() . > "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or > another throughout the codebase. http://search.cpan.org/~lds/CGI.pm-3.50/lib/CGI.pm#GENERATING_A_REDIRECTION_HEADER recommends to use full URL, not relative ones: "You should always use full URLs (including the http: or ftp: part) in redirection requests. Relative URLs will not work correctly."
Comment 5•13 years ago
|
||
For now you should be using $cgi->url to generate a full URL, unless $cgi->redirect does that internally.
Comment 6•13 years ago
|
||
Comment on attachment 499986 [details] [diff] [review] patch - v1 Okay, this is actually what buglist.cgi does already, so this is fine.
Attachment #499986 -
Flags: review?(mkanat) → review+
Updated•13 years ago
|
Flags: approval?
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
Flags: approval3.2?
Reporter | ||
Updated•13 years ago
|
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
Assignee | ||
Comment 7•13 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified chart.cgi Committed revision 7673. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified chart.cgi Committed revision 7530. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/ modified chart.cgi Committed revision 7223. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.4/ modified chart.cgi Committed revision 6790. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.2/ modified chart.cgi Committed revision 6411.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•13 years ago
|
||
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Comment 9•13 years ago
|
||
test.
You need to log in
before you can comment on or make changes to this bug.
Description
•