Bug 711714 (CVE-2011-3667)

[SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account

RESOLVED FIXED in Bugzilla 3.4

Status

()

Bugzilla
WebService
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.23.3
Bugzilla 3.4
Bug Flags:
approval +
approval4.2 +
blocking4.2 +
approval4.0 +
blocking4.0.3 +
approval3.6 +
blocking3.6.7 +
approval3.4 +
blocking3.4.13 +

Details

Attachments

(3 attachments)

(Assignee)

Description

6 years ago
createaccount.cgi rejects new account requests when $user->authorizer->user_can_create_account is false. But when calling User.offer_account_by_email, an email is sent in all cases to the user, and the link in the email let's you create a new account independently of what user_can_create_account is set to.

Depending on how the authentication method is set, having an account in the DB may be enough to log in. For e.g. LDAP or RADIUS, I doubt this is exploitable, because the validation would fail (having an account in the DB doesn't mean they will recognize you). But with custom authentication methods where there is an external validator which only accepts to insert new accounts in the DB under some circumstances, I think this is exploitable.

I think that User.offer_account_by_email should check what user_can_create_account is set to, and if set to false, no email should be sent. And maybe token.cgi should also reject the new account request if this setting is false, in case the email has been sent before account creation has been disabled.

User.offer_account_by_email exists since Bugzilla 2.23.3, see bug 350232.
Flags: blocking4.2+
Flags: blocking4.0.3+
Flags: blocking3.6.7?
Flags: blocking3.4.13?
(Assignee)

Updated

6 years ago
Summary: [SECURITY] The User.offer_account_by_email WebService method let's you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account → [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
(Assignee)

Comment 1

6 years ago
Created attachment 582597 [details] [diff] [review]
patch for trunk, v1

I also fixed the POD in WebService/User.pm which had wrong error codes. This patch applies to trunk only.
Assignee: webservice → LpSolit
Status: NEW → ASSIGNED
Attachment #582597 - Flags: review?(glob)
Comment on attachment 582597 [details] [diff] [review]
patch for trunk, v1

Review of attachment 582597 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #582597 - Flags: review?(glob) → review+
(Assignee)

Updated

6 years ago
Blocks: 713348
(Assignee)

Comment 3

6 years ago
Created attachment 584428 [details] [diff] [review]
patch for 4.2, v1
Attachment #584428 - Flags: review?(dkl)
(Assignee)

Updated

6 years ago
Attachment #584428 - Attachment description: patch for 4.0.3, v1 → patch for 4.2, v1
(Assignee)

Comment 4

6 years ago
Created attachment 584435 [details] [diff] [review]
patch for 4.0 and older, v1

This patch applies and works with 3.4, 3.6 and 4.0.
Attachment #584435 - Flags: review?(dkl)
(Assignee)

Updated

6 years ago
Flags: blocking3.6.7?
Flags: blocking3.6.7+
Flags: blocking3.4.13?
Flags: blocking3.4.13+
Flags: approval?
Assigned CVE-2011-3667 to this issue
Alias: CVE-2011-3667
(Assignee)

Updated

6 years ago
Version: 3.0 → 2.23.3
Comment on attachment 584428 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 584428 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #584428 - Flags: review?(dkl) → review+
Comment on attachment 584435 [details] [diff] [review]
patch for 4.0 and older, v1

Review of attachment 584435 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #584435 - Flags: review?(dkl) → review+
(Assignee)

Updated

6 years ago
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
Flags: approval3.4?
(Assignee)

Updated

6 years ago
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval+
(Assignee)

Comment 8

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 8054.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7991.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7672.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 7267.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified createaccount.cgi
modified token.cgi
modified Bugzilla/User.pm
modified Bugzilla/WebService/Constants.pm
modified Bugzilla/WebService/User.pm
Committed revision 6818.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

6 years ago
Security Advisory sent and is live on bugzilla.org. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.