Closed Bug 745397 (CVE-2012-0466) Opened 8 years ago Closed 8 years ago

[SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see

Categories

(Bugzilla :: Query/Bug List, defect, critical)

2.17.4
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Bugzilla 3.6

People

(Reporter: LpSolit, Assigned: LpSolit)

References

(Blocks 1 open bug)

Details

Attachments

(3 files, 1 obsolete file)

Bug 195530 added a JavaScript template for buglists in Bugzilla 2.17.4. Despite it was written with security in mind (see the 2nd patch there), it's still possible to bypass this security check by forcing buglist.cgi to log in the user again after the check is done, see the PoC (no worry, it tries to access bugs on landfill). To make the PoC work, you must first be logged into https://landfill.bugzilla.org/bugzilla-tip/. The vulnerability exists since 2.17.4.

The best way to fix this bug is to remove this JS template. I'm pretty sure that nobody besides gerv and Jesse knows that this template exists (I found it by accident earlier today). Either that, or this code must be moved right before calling Search.pm:

  if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
      Bugzilla->logout_request();
  }
Flags: blocking4.2.1+
Flags: blocking4.0.6+
Flags: blocking3.6.9+
Hum, even if we move the code mentioned in comment 0 right before calling Search.pm, this correctly excludes security bugs, but it still returns all public bugs when requirelogin is turned on. This means that the attacker could still use this PoC to collect data about bugs being in Bugzilla installations which require the user to be logged in (such as corporate installations).

Bugzilla 3.4 and above have Bug.search available as a WebServices method, so this makes this JS template less useful, especially as it only returns public bugs. So I'm in favor of removing this template entirely. Objections? CC'ing those who were involved in bug 195530.
AIUI, the standards-based fix for this sort of problem is Access-Control-Allow-Origin. But who would be on the whitelist? It may be easier to just remove the feature if no-one is using it. I wonder if we could use BMO access logs to find out if anyone is?

The other option is fix the JS template to only return public bugs, with LpSolit's patch and perhaps more.

Gerv
Attached patch patch, v1 (obsolete) — Splinter Review
Let's remove the JS template entirely. I'm pretty sure mostly nobody knows about its existence.
Assignee: query-and-buglist → LpSolit
Status: NEW → ASSIGNED
Attachment #615324 - Flags: review?(glob)
Blocks: 741079
i'll chat with IT to check the bmo logs; i don't want this removed on the back of a hunch.
(In reply to Byron Jones ‹:glob› from comment #4)
> i'll chat with IT to check the bmo logs; i don't want this removed on the
> back of a hunch.

Could you get this information asap?
Depends on: 745898
Comment on attachment 615324 [details] [diff] [review]
patch, v1

r=glob

i don't see any hits on this since 1st jan 2012 :)
Attachment #615324 - Flags: review?(glob) → review+
Let's also remove the doc reference about ctype=js for buglists. I removed the whole paragraph, because the other format specified (RDF) is already covered a few lines above this paragraph.
Attachment #615324 - Attachment is obsolete: true
Attachment #615666 - Flags: review?(glob)
dveditz: we need a CVE number for this bug.
The PoC doesn't work for me (buglist.cgi syntax error in Fx 14 Nightly?) but it's easy to see the problem if you compare

https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?f1=bug_group&o1=regexp&v1=.%2B&ctype=js&cmdtype=doit&remtype=asdefault

... with what you ought to get:

https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?f1=bug_group&o1=regexp&v1=.%2B&ctype=js

I'm assuming every landfill user is a member of "Test Group" by default (I don't remember asking to be added). If not both lists might be blank.

Victims might later notice their default search was changed but by then it's too late.
(In reply to Daniel Veditz [:dveditz] from comment #11)
> I'm assuming every landfill user is a member of "Test Group" by default

No, nobody is in this group by default. Only canconfirm and editbugs. You have been added to the TestGroup group in 2006 by reed.
Comment on attachment 615666 [details] [diff] [review]
patch for trunk, v1.1

r=glob
Attachment #615666 - Flags: review?(glob) → review+
Flags: approval?
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
Attachment #615666 - Attachment description: patch, v1.1 → patch for trunk, v1.1
This is the patch for all branches. The single change is the license header in list.js.tmpl, which is still MPL 1.1 (and so the patch for trunk didn't apply cleanly as the trunk uses MPL 2.0).
Attachment #616082 - Flags: review+
It's release time.
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 8207.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 8081.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 7706.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 7286.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Security advisory sent.
Group: bugzilla-security
Oh, remove it was not necessary. You could have put a domain check or some not scriptable code before of returned javascript code.

Something Like that:
"""
;;;;REMOVEIT;;;;
callback({'someinfoname':'someinfo'});
"""
Hello, 

I was using the JavaScript template to track issue diffs for W3C specification documents.
https://github.com/oslego/w3c-bugzilla-tracker/blob/master/scripts/BugzillaTrackerUtil.js#L96

The script is being actively used on W3C documents by authors to track bugs on their specs.

Since this has now been closed, is there any other way to get cross-domain search information from Bugzilla?
Razvan: yes, there is. You can use Bugzilla's build in APIs - XML-RPC, or JSON-RPC if your Bugzilla is recent. Or, of course, you could install a BzAPI instance: https://wiki.mozilla.org/Bugzilla:REST_API .

See http://www.bugzilla.org/docs/ for API documentation for the WebServices interfaces.

Gerv
Thank you for the links, Gervase!
Blocks: 835424
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.