Last Comment Bug 703983 - (CVE-2011-3669) CSRF vulnerability in attachment.cgi allows possible unauthorized attachment creation
(CVE-2011-3669)
: CSRF vulnerability in attachment.cgi allows possible unauthorized attachment ...
Status: RESOLVED FIXED
[infrasec:csrf][ws:moderate]
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 2.10
: All All
: -- normal (vote)
: Bugzilla 4.2
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
Mentors:
Depends on:
Blocks: 835424 713348
  Show dependency treegraph
 
Reported: 2011-11-20 07:09 PST by Mario Gomes
Modified: 2014-06-26 13:59 PDT (History)
12 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: blocking4.2+
rforbes: sec‑bounty+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Proof of concept File to reproduce the vulnerability (1.23 KB, text/plain)
2011-11-20 10:25 PST, Mario Gomes
no flags Details
patch - v1 (untested) (4.42 KB, patch)
2011-11-20 14:15 PST, Reed Loden [:reed] (use needinfo?)
no flags Details | Diff | Review
patch - v2 (3.75 KB, patch)
2011-11-20 14:56 PST, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Review
patch - v3 (4.07 KB, patch)
2011-11-21 13:54 PST, Reed Loden [:reed] (use needinfo?)
reed: review+
Details | Diff | Review

Description Mario Gomes 2011-11-20 07:09:20 PST
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2

Steps to reproduce:

Hi,

all tests done in https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=16552.

A vulnerability exists in the upload page bugzilla when a request is made and the value of "token" is not sent to the Bugzilla server, an error occurs allowing XSRF attacker to induce a victim to upload a file in a bug reported, without him knowing.





Actual results:

Upload the file


Expected results:

The file is upload
Comment 1 Mario Gomes 2011-11-20 07:11:22 PST
reproduce:
Make a request without the TOKEN value.
Comment 2 Frédéric Buclin 2011-11-20 07:13:33 PST
I don't understand your description. Could you give exact steps to reproduce?
Comment 3 Frédéric Buclin 2011-11-20 07:26:57 PST
Ah, I see what you mean. A token is not required to upload an attachment. We require one when editing attachments, though, see bug 476603. This case falls under the same consideration as bug 703975, i.e. an attacker doesn't need you to upload attachments. We protected editing attachments because an attacker could inadvertendly force a power user to remove the private bit of a private attachment. But I guess it's fine to also require a token when uploading a new attachment.
Comment 4 Mario Gomes 2011-11-20 10:25:52 PST
Created attachment 575756 [details]
Proof of concept File to reproduce the vulnerability

Yes, I think that this vulnerability is a risk "medium". Due to enable the User to upload any file.
Look at this example attack:
1. A victim of confidence of the application programmer, reports a security bug with a POC.
2. The victim opens a specially crafted page by an attacker, which contains a code to upload an EXE file.
3. The comment with the malicious EXE file is downloaded and seen by the programmer
4. The programmer, trusting in victim opens the EXE file, thus possibly 
compromising your system.

Reproduce:
1. Create a bug in Bugzilla(https://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi?product=FoodReplicator)
2. After you create you bug, open the POC attached.
3. Time the ID of you bug created and select the file you want upload.
4. After click in "Submit".
Comment 5 Mario Gomes 2011-11-20 10:28:34 PST
Opps...

Reproduce:
1. Create a bug in Bugzilla(https://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi?product=FoodReplicator)
2. After you create you bug, open the POC attached.
3. Type the ID of you bug created and select the file you want upload.
4. After click in "Submit".
Comment 6 Reed Loden [:reed] (use needinfo?) 2011-11-20 14:15:50 PST
Created attachment 575774 [details] [diff] [review]
patch - v1 (untested)
Comment 7 Frédéric Buclin 2011-11-20 14:36:42 PST
Comment on attachment 575774 [details] [diff] [review]
patch - v1 (untested)

>=== modified file 'attachment.cgi'
>+    check_token_data($token, 'create_attachment');

You have to pass a 3rd argument to redirect the user to a useful page if he get the "suspicious action" page. 'index.cgi' seems a reasonable choice.


>-  # Assign the bug to the user, if they are allowed to take it
>-  my $owner = "";
>-  if ($cgi->param('takebug') && $user->in_group('editbugs', $bug->product_id)) {
>+    # Assign the bug to the user, if they are allowed to take it
>+    my $owner = "";
>+    if ($cgi->param('takebug') && $user->in_group('editbugs', $bug->product_id)) {

Don't bother fixing the indentation here. There are many places where the indentation is wrong in this file. I only bother fixing it when I touch these lines specifically, to not break the history of the file.


Otherwise looks good, but I haven't tested your patch yet. I will test an updated one.
Comment 8 Reed Loden [:reed] (use needinfo?) 2011-11-20 14:56:28 PST
Created attachment 575777 [details] [diff] [review]
patch - v2
Comment 10 Mario Gomes 2011-11-21 12:21:34 PST

*** This bug has been marked as a duplicate of bug 703975 ***
Comment 11 Frédéric Buclin 2011-11-21 12:34:03 PST
Leave this bug alone. This is not a duplicate.
Comment 12 Mario Gomes 2011-11-21 12:39:19 PST
I'm sorry, I made a Confession. The titles are very similar.
Comment 13 Frédéric Buclin 2011-11-21 12:55:01 PST
As discussed with mkanat, we won't fix it on stable branches as some installations and 3rd party applications rely on these feature.
Comment 14 Frédéric Buclin 2011-11-21 13:15:55 PST
Comment on attachment 575777 [details] [diff] [review]
patch - v2

>=== modified file 'attachment.cgi'
>+  # Delete the token used to create this attachment.
>+  delete_token($token);

This line should go right after the call to Bugzilla::Attachment->create(). No need to wait for other attachments to be marked as obsolete and the comment written. This token is used for the attachment creation, after all.

r=LpSolit with an updated patch attached which addresses this comment.
Comment 15 Reed Loden [:reed] (use needinfo?) 2011-11-21 13:54:39 PST
Created attachment 575967 [details] [diff] [review]
patch - v3
Comment 16 Frédéric Buclin 2011-11-21 13:56:39 PST
Approved for immediate checkin. Please leave the sec flag for now when marking the bug as FIXED.
Comment 17 Reed Loden [:reed] (use needinfo?) 2011-11-21 14:10:21 PST
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
deleted template/en/default/attachment/cancel-create-dupe.html.tmpl
Committed revision 8009.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
deleted template/en/default/attachment/cancel-create-dupe.html.tmpl
Committed revision 7959.
Comment 18 Mario Gomes 2011-11-22 03:01:56 PST
Reed Loden, you can tell me when that will be released the new version of Bugzilla with this patch?
Comment 19 Frédéric Buclin 2011-11-22 07:14:07 PST
(In reply to Mario Gomes from comment #18)
> Reed Loden, you can tell me when that will be released the new version of
> Bugzilla with this patch?

You can track progress in bug 702713. Note that Bugzilla 4.0.3 won't have this fix.
Comment 20 Mario Gomes 2011-11-28 06:44:57 PST
Well, that's embarrassing to me... ;(
But as the "ws:moderate" and how the Mozilla bugs or "ws:critical" as stated here "In the past we have not paid Formally the bug bounty on web vulnerabilities but we have paid for the bounty extraordinary and critical web application vulnerabilities". Just to confirm, this bug and the bug 703975 not eligible for a bounty. Right?
Comment 21 Frédéric Buclin 2011-11-28 07:57:25 PST
(In reply to Mario Gomes(http:///net-fuzzer.blogspot.com) from comment #20)
> web application vulnerabilities". Just to confirm, this bug and the bug
> 703975 not eligible for a bounty. Right?

That's not my decision, but they are honestly not security bugs, only security enhancements (which is the reason why we didn't backport them to stable branches).
Comment 22 Yvan Boily [:ygjb][:yvan] 2011-11-28 10:40:26 PST
Hi Mario,

There is a team that meets periodically to review submitted bugs and determine if they qualify for the bounty program; once that is done they will update the bug report with the decision.
Comment 23 Mario Gomes 2011-11-28 11:07:37 PST
Frédéric, I do not understand, if they are not security bugs. Why "Group-Security"?
Comment 24 Frédéric Buclin 2011-11-28 11:12:27 PST
(In reply to Mario Gomes(http://net-fuzzer.blogspot.com) from comment #23)
> Frédéric, I do not understand, if they are not security bugs. Why
> "Group-Security"?

To avoid people playing with your Proof of Concept before we release new versions.
Comment 25 Mario Gomes 2011-12-03 15:42:55 PST
Okay. Thanks for reponse.  
(In reply to Yvan Boily [:ygjb][:yvan] from comment #22)
> Hi Mario,
> 
> There is a team that meets periodically to review submitted bugs and
> determine if they qualify for the bounty program; once that is done they
> will update the bug report with the decision.
Comment 27 Mario Gomes 2011-12-24 14:04:47 PST
is amazing, nothing what i do, is eligible for a reward. Why Mozilla creates the Rewards Program if you do not want to pay? And also to put failures CSRF in Critical if the maximum severity is Moderate?
Comment 28 Michael Coates [:mcoates] (acct no longer active) 2011-12-24 14:09:02 PST
(In reply to Mario Gomes(@NetFuzzer) from comment #27)
> is amazing, nothing what i do, is eligible for a reward. Why Mozilla creates
> the Rewards Program if you do not want to pay? And also to put failures CSRF
> in Critical if the maximum severity is Moderate?

Mario,

I think you may have received incorrect information somewhere.

The combination of issues listed in this bug and bug 703975 have been evaluated and are going to be paid as part of the bug bounty.  Chris Hoffman will be contacting you to arrange payment.
Comment 29 Mario Gomes 2011-12-24 14:12:10 PST
Great - Thanks! :)

(In reply to Michael Coates [:mcoates] from comment #28)
> (In reply to Mario Gomes(@NetFuzzer) from comment #27)
> > is amazing, nothing what i do, is eligible for a reward. Why Mozilla creates
> > the Rewards Program if you do not want to pay? And also to put failures CSRF
> > in Critical if the maximum severity is Moderate?
> 
> Mario,
> 
> I think you may have received incorrect information somewhere.
> 
> The combination of issues listed in this bug and bug 703975 have been
> evaluated and are going to be paid as part of the bug bounty.  Chris Hoffman
> will be contacting you to arrange payment.
Comment 30 chris hofmann 2011-12-24 17:35:46 PST
Created attachment 584238 [details]
web bounty awarded - see other attachment
Comment 31 chris hofmann 2011-12-24 17:37:09 PST
adding the nomination.  can someone update the award level and I'll contact Mario next week.
Comment 32 Frédéric Buclin 2011-12-29 09:03:08 PST
Security Advisory sent and is live on bugzilla.org. Removing the security flag.
Comment 33 Mario Gomes 2011-12-31 13:54:23 PST
Google, Facebook, Pwiki, CCBill secure and
classified all the rewards and pay quickly, do
not understand why Mozilla is so slow.
"Contact in next week" the week has release
a patch for the vulnerability, and no telling
anything about the payment. Why so much
delay Mozilla?
Comment 34 Michael Coates [:mcoates] (acct no longer active) 2011-12-31 17:18:09 PST
Mario,

Apologies for any delays. I'll check into the status of things.  Many people are not working during this holiday period and sometimes items take a few days longer than normal.
Comment 35 Mario Gomes 2012-01-01 01:48:05 PST
Okay, sorry for the charging.
Comment 36 Michael Coates [:mcoates] (acct no longer active) 2012-01-09 15:20:01 PST
Mario,

Chofman sent an email around 12/31 to get more info from you. Let us know if you didn't get it.
Comment 37 Mario Gomes 2012-01-09 16:04:48 PST
Yes, I've received the email and the payment.
Comment 38 Mario Gomes 2012-01-09 16:05:03 PST
Yes, I've received the email and the payment.

Note You need to log in before you can comment on or make changes to this bug.