Closed
Bug 711714
(CVE-2011-3667)
Opened 13 years ago
Closed 12 years ago
[SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
Categories
(Bugzilla :: WebService, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.4
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
Attachments
(3 files)
7.56 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
6.20 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
6.00 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
createaccount.cgi rejects new account requests when $user->authorizer->user_can_create_account is false. But when calling User.offer_account_by_email, an email is sent in all cases to the user, and the link in the email let's you create a new account independently of what user_can_create_account is set to. Depending on how the authentication method is set, having an account in the DB may be enough to log in. For e.g. LDAP or RADIUS, I doubt this is exploitable, because the validation would fail (having an account in the DB doesn't mean they will recognize you). But with custom authentication methods where there is an external validator which only accepts to insert new accounts in the DB under some circumstances, I think this is exploitable. I think that User.offer_account_by_email should check what user_can_create_account is set to, and if set to false, no email should be sent. And maybe token.cgi should also reject the new account request if this setting is false, in case the email has been sent before account creation has been disabled. User.offer_account_by_email exists since Bugzilla 2.23.3, see bug 350232.
Flags: blocking4.2+
Flags: blocking4.0.3+
Flags: blocking3.6.7?
Flags: blocking3.4.13?
Assignee | ||
Updated•13 years ago
|
Summary: [SECURITY] The User.offer_account_by_email WebService method let's you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account → [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
Assignee | ||
Comment 1•13 years ago
|
||
I also fixed the POD in WebService/User.pm which had wrong error codes. This patch applies to trunk only.
Comment on attachment 582597 [details] [diff] [review] patch for trunk, v1 Review of attachment 582597 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #582597 -
Flags: review?(glob) → review+
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #584428 -
Flags: review?(dkl)
Assignee | ||
Updated•12 years ago
|
Attachment #584428 -
Attachment description: patch for 4.0.3, v1 → patch for 4.2, v1
Assignee | ||
Comment 4•12 years ago
|
||
This patch applies and works with 3.4, 3.6 and 4.0.
Attachment #584435 -
Flags: review?(dkl)
Assignee | ||
Updated•12 years ago
|
Flags: blocking3.6.7?
Flags: blocking3.6.7+
Flags: blocking3.4.13?
Flags: blocking3.4.13+
Flags: approval?
Assignee | ||
Updated•12 years ago
|
Version: 3.0 → 2.23.3
Comment 6•12 years ago
|
||
Comment on attachment 584428 [details] [diff] [review] patch for 4.2, v1 Review of attachment 584428 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #584428 -
Flags: review?(dkl) → review+
Comment 7•12 years ago
|
||
Comment on attachment 584435 [details] [diff] [review] patch for 4.0 and older, v1 Review of attachment 584435 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #584435 -
Flags: review?(dkl) → review+
Assignee | ||
Updated•12 years ago
|
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
Assignee | ||
Updated•12 years ago
|
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval+
Assignee | ||
Comment 8•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified createaccount.cgi modified token.cgi modified Bugzilla/User.pm modified Bugzilla/WebService/Constants.pm modified Bugzilla/WebService/User.pm Committed revision 8054. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified createaccount.cgi modified token.cgi modified Bugzilla/User.pm modified Bugzilla/WebService/Constants.pm modified Bugzilla/WebService/User.pm Committed revision 7991. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified createaccount.cgi modified token.cgi modified Bugzilla/User.pm modified Bugzilla/WebService/Constants.pm modified Bugzilla/WebService/User.pm Committed revision 7672. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/ modified createaccount.cgi modified token.cgi modified Bugzilla/User.pm modified Bugzilla/WebService/Constants.pm modified Bugzilla/WebService/User.pm Committed revision 7267. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/ modified createaccount.cgi modified token.cgi modified Bugzilla/User.pm modified Bugzilla/WebService/Constants.pm modified Bugzilla/WebService/User.pm Committed revision 6818.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•12 years ago
|
||
Security Advisory sent and is live on bugzilla.org. Removing the security flag.
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•