Closed Bug 711714 (CVE-2011-3667) Opened 13 years ago Closed 12 years ago

[SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account

Categories

(Bugzilla :: WebService, defect)

2.23.3
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Bugzilla 3.4

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(3 files)

createaccount.cgi rejects new account requests when $user->authorizer->user_can_create_account is false. But when calling User.offer_account_by_email, an email is sent in all cases to the user, and the link in the email let's you create a new account independently of what user_can_create_account is set to.

Depending on how the authentication method is set, having an account in the DB may be enough to log in. For e.g. LDAP or RADIUS, I doubt this is exploitable, because the validation would fail (having an account in the DB doesn't mean they will recognize you). But with custom authentication methods where there is an external validator which only accepts to insert new accounts in the DB under some circumstances, I think this is exploitable.

I think that User.offer_account_by_email should check what user_can_create_account is set to, and if set to false, no email should be sent. And maybe token.cgi should also reject the new account request if this setting is false, in case the email has been sent before account creation has been disabled.

User.offer_account_by_email exists since Bugzilla 2.23.3, see bug 350232.
Flags: blocking4.2+
Flags: blocking4.0.3+
Flags: blocking3.6.7?
Flags: blocking3.4.13?
Summary: [SECURITY] The User.offer_account_by_email WebService method let's you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account → [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
I also fixed the POD in WebService/User.pm which had wrong error codes. This patch applies to trunk only.
Assignee: webservice → LpSolit
Status: NEW → ASSIGNED
Attachment #582597 - Flags: review?(glob)
Comment on attachment 582597 [details] [diff] [review]
patch for trunk, v1

Review of attachment 582597 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #582597 - Flags: review?(glob) → review+
Blocks: 713348
Attachment #584428 - Flags: review?(dkl)
Attachment #584428 - Attachment description: patch for 4.0.3, v1 → patch for 4.2, v1
This patch applies and works with 3.4, 3.6 and 4.0.
Attachment #584435 - Flags: review?(dkl)
Flags: blocking3.6.7?
Flags: blocking3.6.7+
Flags: blocking3.4.13?
Flags: blocking3.4.13+
Flags: approval?
Assigned CVE-2011-3667 to this issue
Alias: CVE-2011-3667
Version: 3.0 → 2.23.3
Comment on attachment 584428 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 584428 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #584428 - Flags: review?(dkl) → review+
Comment on attachment 584435 [details] [diff] [review]
patch for 4.0 and older, v1

Review of attachment 584435 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #584435 - Flags: review?(dkl) → review+
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 8054.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7991.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7672.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7267.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 6818.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Security Advisory sent and is live on bugzilla.org. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: