Last Comment Bug 711714 - (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
(CVE-2011-3667)
: [SECURITY] The User.offer_account_by_email WebService method lets you create ...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: WebService (show other bugs)
: 2.23.3
: All All
: -- critical (vote)
: Bugzilla 3.4
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on:
Blocks: 713348
  Show dependency treegraph
 
Reported: 2011-12-17 05:54 PST by Frédéric Buclin
Modified: 2011-12-29 09:03 PST (History)
4 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: blocking4.2+
LpSolit: approval4.0+
LpSolit: blocking4.0.3+
LpSolit: approval3.6+
LpSolit: blocking3.6.7+
LpSolit: approval3.4+
LpSolit: blocking3.4.13+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for trunk, v1 (7.56 KB, patch)
2011-12-17 14:24 PST, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review
patch for 4.2, v1 (6.20 KB, patch)
2011-12-27 06:40 PST, Frédéric Buclin
dkl: review+
Details | Diff | Splinter Review
patch for 4.0 and older, v1 (6.00 KB, patch)
2011-12-27 07:40 PST, Frédéric Buclin
dkl: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2011-12-17 05:54:35 PST
createaccount.cgi rejects new account requests when $user->authorizer->user_can_create_account is false. But when calling User.offer_account_by_email, an email is sent in all cases to the user, and the link in the email let's you create a new account independently of what user_can_create_account is set to.

Depending on how the authentication method is set, having an account in the DB may be enough to log in. For e.g. LDAP or RADIUS, I doubt this is exploitable, because the validation would fail (having an account in the DB doesn't mean they will recognize you). But with custom authentication methods where there is an external validator which only accepts to insert new accounts in the DB under some circumstances, I think this is exploitable.

I think that User.offer_account_by_email should check what user_can_create_account is set to, and if set to false, no email should be sent. And maybe token.cgi should also reject the new account request if this setting is false, in case the email has been sent before account creation has been disabled.

User.offer_account_by_email exists since Bugzilla 2.23.3, see bug 350232.
Comment 1 Frédéric Buclin 2011-12-17 14:24:54 PST
Created attachment 582597 [details] [diff] [review]
patch for trunk, v1

I also fixed the POD in WebService/User.pm which had wrong error codes. This patch applies to trunk only.
Comment 2 Byron Jones ‹:glob› [PTO until 2016-10-10] 2011-12-18 22:11:23 PST
Comment on attachment 582597 [details] [diff] [review]
patch for trunk, v1

Review of attachment 582597 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Comment 3 Frédéric Buclin 2011-12-27 06:40:24 PST
Created attachment 584428 [details] [diff] [review]
patch for 4.2, v1
Comment 4 Frédéric Buclin 2011-12-27 07:40:36 PST
Created attachment 584435 [details] [diff] [review]
patch for 4.0 and older, v1

This patch applies and works with 3.4, 3.6 and 4.0.
Comment 5 Daniel Veditz [:dveditz] 2011-12-27 12:33:15 PST
Assigned CVE-2011-3667 to this issue
Comment 6 David Lawrence [:dkl] 2011-12-27 14:30:30 PST
Comment on attachment 584428 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 584428 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 7 David Lawrence [:dkl] 2011-12-27 15:27:27 PST
Comment on attachment 584435 [details] [diff] [review]
patch for 4.0 and older, v1

Review of attachment 584435 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 8 Frédéric Buclin 2011-12-28 14:20:00 PST
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 8054.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7991.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7672.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7267.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 6818.
Comment 9 Frédéric Buclin 2011-12-29 09:03:14 PST
Security Advisory sent and is live on bugzilla.org. Removing the security flag.

Note You need to log in before you can comment on or make changes to this bug.