Last Comment Bug 745397 - (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see
(CVE-2012-0466)
: [SECURITY] The JS template for buglists permits attackers to access all bugs ...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 2.17.4
: All All
: -- critical (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on: 745898
Blocks: 835424 741079
  Show dependency treegraph
 
Reported: 2012-04-13 19:28 PDT by Frédéric Buclin
Modified: 2014-06-27 14:39 PDT (History)
9 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: blocking4.2.1+
LpSolit: approval4.0+
LpSolit: blocking4.0.6+
LpSolit: approval3.6+
LpSolit: blocking3.6.9+
rforbes: sec‑bounty+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
PoC against landfill-tip (1.44 KB, text/html)
2012-04-13 19:28 PDT, Frédéric Buclin
no flags Details
patch, v1 (1.82 KB, patch)
2012-04-16 07:24 PDT, Frédéric Buclin
glob: review+
Details | Diff | Review
patch for trunk, v1.1 (2.60 KB, patch)
2012-04-17 04:39 PDT, Frédéric Buclin
glob: review+
Details | Diff | Review
patch for all branches (3.6 - 4.2), v1 (3.09 KB, patch)
2012-04-18 05:11 PDT, Frédéric Buclin
LpSolit: review+
Details | Diff | Review

Description Frédéric Buclin 2012-04-13 19:28:12 PDT
Created attachment 614984 [details]
PoC against landfill-tip

Bug 195530 added a JavaScript template for buglists in Bugzilla 2.17.4. Despite it was written with security in mind (see the 2nd patch there), it's still possible to bypass this security check by forcing buglist.cgi to log in the user again after the check is done, see the PoC (no worry, it tries to access bugs on landfill). To make the PoC work, you must first be logged into https://landfill.bugzilla.org/bugzilla-tip/. The vulnerability exists since 2.17.4.

The best way to fix this bug is to remove this JS template. I'm pretty sure that nobody besides gerv and Jesse knows that this template exists (I found it by accident earlier today). Either that, or this code must be moved right before calling Search.pm:

  if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
      Bugzilla->logout_request();
  }
Comment 1 Frédéric Buclin 2012-04-14 04:47:28 PDT
Hum, even if we move the code mentioned in comment 0 right before calling Search.pm, this correctly excludes security bugs, but it still returns all public bugs when requirelogin is turned on. This means that the attacker could still use this PoC to collect data about bugs being in Bugzilla installations which require the user to be logged in (such as corporate installations).

Bugzilla 3.4 and above have Bug.search available as a WebServices method, so this makes this JS template less useful, especially as it only returns public bugs. So I'm in favor of removing this template entirely. Objections? CC'ing those who were involved in bug 195530.
Comment 2 Gervase Markham [:gerv] 2012-04-16 01:37:16 PDT
AIUI, the standards-based fix for this sort of problem is Access-Control-Allow-Origin. But who would be on the whitelist? It may be easier to just remove the feature if no-one is using it. I wonder if we could use BMO access logs to find out if anyone is?

The other option is fix the JS template to only return public bugs, with LpSolit's patch and perhaps more.

Gerv
Comment 3 Frédéric Buclin 2012-04-16 07:24:50 PDT
Created attachment 615324 [details] [diff] [review]
patch, v1

Let's remove the JS template entirely. I'm pretty sure mostly nobody knows about its existence.
Comment 4 Byron Jones ‹:glob› 2012-04-16 11:49:27 PDT
i'll chat with IT to check the bmo logs; i don't want this removed on the back of a hunch.
Comment 5 Frédéric Buclin 2012-04-16 12:45:48 PDT
(In reply to Byron Jones ‹:glob› from comment #4)
> i'll chat with IT to check the bmo logs; i don't want this removed on the
> back of a hunch.

Could you get this information asap?
Comment 6 Byron Jones ‹:glob› 2012-04-17 00:27:31 PDT
Comment on attachment 615324 [details] [diff] [review]
patch, v1

r=glob

i don't see any hits on this since 1st jan 2012 :)
Comment 7 Frédéric Buclin 2012-04-17 04:39:00 PDT
Created attachment 615666 [details] [diff] [review]
patch for trunk, v1.1

Let's also remove the doc reference about ctype=js for buglists. I removed the whole paragraph, because the other format specified (RDF) is already covered a few lines above this paragraph.
Comment 8 Frédéric Buclin 2012-04-17 04:40:37 PDT
dveditz: we need a CVE number for this bug.
Comment 9 Daniel Veditz [:dveditz] 2012-04-17 09:54:23 PDT
use CVE-2012-0466
Comment 11 Daniel Veditz [:dveditz] 2012-04-17 10:10:33 PDT
The PoC doesn't work for me (buglist.cgi syntax error in Fx 14 Nightly?) but it's easy to see the problem if you compare

https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?f1=bug_group&o1=regexp&v1=.%2B&ctype=js&cmdtype=doit&remtype=asdefault

... with what you ought to get:

https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?f1=bug_group&o1=regexp&v1=.%2B&ctype=js

I'm assuming every landfill user is a member of "Test Group" by default (I don't remember asking to be added). If not both lists might be blank.

Victims might later notice their default search was changed but by then it's too late.
Comment 12 Frédéric Buclin 2012-04-17 10:15:33 PDT
(In reply to Daniel Veditz [:dveditz] from comment #11)
> I'm assuming every landfill user is a member of "Test Group" by default

No, nobody is in this group by default. Only canconfirm and editbugs. You have been added to the TestGroup group in 2006 by reed.
Comment 13 Byron Jones ‹:glob› 2012-04-17 11:43:26 PDT
Comment on attachment 615666 [details] [diff] [review]
patch for trunk, v1.1

r=glob
Comment 14 Frédéric Buclin 2012-04-18 05:11:20 PDT
Created attachment 616082 [details] [diff] [review]
patch for all branches (3.6 - 4.2), v1

This is the patch for all branches. The single change is the license header in list.js.tmpl, which is still MPL 1.1 (and so the patch for trunk didn't apply cleanly as the trunk uses MPL 2.0).
Comment 15 Frédéric Buclin 2012-04-18 09:38:05 PDT
It's release time.
Comment 16 Frédéric Buclin 2012-04-18 10:04:23 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 8207.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 8081.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 7706.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified buglist.cgi
modified docs/en/xml/using.xml
deleted template/en/default/list/list.js.tmpl
Committed revision 7286.
Comment 17 Frédéric Buclin 2012-04-18 15:40:18 PDT
Security advisory sent.
Comment 18 Mario Gomes 2012-05-31 15:31:14 PDT
Oh, remove it was not necessary. You could have put a domain check or some not scriptable code before of returned javascript code.

Something Like that:
"""
;;;;REMOVEIT;;;;
callback({'someinfoname':'someinfo'});
"""
Comment 19 razvan.caliman 2012-10-24 14:44:50 PDT
Hello, 

I was using the JavaScript template to track issue diffs for W3C specification documents.
https://github.com/oslego/w3c-bugzilla-tracker/blob/master/scripts/BugzillaTrackerUtil.js#L96

The script is being actively used on W3C documents by authors to track bugs on their specs.

Since this has now been closed, is there any other way to get cross-domain search information from Bugzilla?
Comment 20 Gervase Markham [:gerv] 2012-10-25 03:32:15 PDT
Razvan: yes, there is. You can use Bugzilla's build in APIs - XML-RPC, or JSON-RPC if your Bugzilla is recent. Or, of course, you could install a BzAPI instance: https://wiki.mozilla.org/Bugzilla:REST_API .

See http://www.bugzilla.org/docs/ for API documentation for the WebServices interfaces.

Gerv
Comment 21 razvan.caliman 2012-10-25 09:20:22 PDT
Thank you for the links, Gervase!

Note You need to log in before you can comment on or make changes to this bug.