Closed Bug 745397 (CVE-2012-0466) Opened 8 years ago Closed 8 years ago
[SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see
Hum, even if we move the code mentioned in comment 0 right before calling Search.pm, this correctly excludes security bugs, but it still returns all public bugs when requirelogin is turned on. This means that the attacker could still use this PoC to collect data about bugs being in Bugzilla installations which require the user to be logged in (such as corporate installations). Bugzilla 3.4 and above have Bug.search available as a WebServices method, so this makes this JS template less useful, especially as it only returns public bugs. So I'm in favor of removing this template entirely. Objections? CC'ing those who were involved in bug 195530.
AIUI, the standards-based fix for this sort of problem is Access-Control-Allow-Origin. But who would be on the whitelist? It may be easier to just remove the feature if no-one is using it. I wonder if we could use BMO access logs to find out if anyone is? The other option is fix the JS template to only return public bugs, with LpSolit's patch and perhaps more. Gerv
Let's remove the JS template entirely. I'm pretty sure mostly nobody knows about its existence.
Assignee: query-and-buglist → LpSolit
Status: NEW → ASSIGNED
Attachment #615324 - Flags: review?(glob)
i'll chat with IT to check the bmo logs; i don't want this removed on the back of a hunch.
(In reply to Byron Jones ‹:glob› from comment #4) > i'll chat with IT to check the bmo logs; i don't want this removed on the > back of a hunch. Could you get this information asap?
Comment on attachment 615324 [details] [diff] [review] patch, v1 r=glob i don't see any hits on this since 1st jan 2012 :)
Attachment #615324 - Flags: review?(glob) → review+
Let's also remove the doc reference about ctype=js for buglists. I removed the whole paragraph, because the other format specified (RDF) is already covered a few lines above this paragraph.
dveditz: we need a CVE number for this bug.
The PoC doesn't work for me (buglist.cgi syntax error in Fx 14 Nightly?) but it's easy to see the problem if you compare https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?f1=bug_group&o1=regexp&v1=.%2B&ctype=js&cmdtype=doit&remtype=asdefault ... with what you ought to get: https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?f1=bug_group&o1=regexp&v1=.%2B&ctype=js I'm assuming every landfill user is a member of "Test Group" by default (I don't remember asking to be added). If not both lists might be blank. Victims might later notice their default search was changed but by then it's too late.
(In reply to Daniel Veditz [:dveditz] from comment #11) > I'm assuming every landfill user is a member of "Test Group" by default No, nobody is in this group by default. Only canconfirm and editbugs. You have been added to the TestGroup group in 2006 by reed.
Comment on attachment 615666 [details] [diff] [review] patch for trunk, v1.1 r=glob
Attachment #615666 - Flags: review?(glob) → review+
Attachment #615666 - Attachment description: patch, v1.1 → patch for trunk, v1.1
This is the patch for all branches. The single change is the license header in list.js.tmpl, which is still MPL 1.1 (and so the patch for trunk didn't apply cleanly as the trunk uses MPL 2.0).
Attachment #616082 - Flags: review+
It's release time.
Committing to: bzr+ssh://email@example.com/bugzilla/trunk/ modified buglist.cgi modified docs/en/xml/using.xml deleted template/en/default/list/list.js.tmpl Committed revision 8207. Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.2/ modified buglist.cgi modified docs/en/xml/using.xml deleted template/en/default/list/list.js.tmpl Committed revision 8081. Committing to: bzr+ssh://email@example.com/bugzilla/4.0/ modified buglist.cgi modified docs/en/xml/using.xml deleted template/en/default/list/list.js.tmpl Committed revision 7706. Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/3.6/ modified buglist.cgi modified docs/en/xml/using.xml deleted template/en/default/list/list.js.tmpl Committed revision 7286.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Security advisory sent.
Razvan: yes, there is. You can use Bugzilla's build in APIs - XML-RPC, or JSON-RPC if your Bugzilla is recent. Or, of course, you could install a BzAPI instance: https://wiki.mozilla.org/Bugzilla:REST_API . See http://www.bugzilla.org/docs/ for API documentation for the WebServices interfaces. Gerv
Thank you for the links, Gervase!
You need to log in before you can comment on or make changes to this bug.