Closed Bug 754672 Opened 12 years ago Closed 12 years ago

CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options

Categories

(Bugzilla :: Query/Bug List, defect)

4.0.6
defect
Not set
minor

Tracking

()

RESOLVED FIXED
Bugzilla 4.2

People

(Reporter: laurens.bal, Assigned: reed)

References

Details

(Whiteboard: [infrasec:csrf][ws:low])

Attachments

(2 files, 1 obsolete file)

Attached file Poc
Query.cgi is vulnerable to crsf.
The checkbox "and remember these as my default search options " has no protection against an crsf attack.
Severity: normal → critical
Assignee: nobody → query-and-buglist
Severity: critical → normal
Status: UNCONFIRMED → NEW
Component: General → Query/Bug List
Ever confirmed: true
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Whiteboard: [infrasec:csrf][ws:low]
Version: Current → 4.0.6
Attached patch patch - v1 (obsolete) — Splinter Review
I believe this should do it. Since this is just a selection on the search knob, I generate a hash token for the entire knob, but I only check it if remtype == "asdefault". I think that's reasonable enough...
Assignee: query-and-buglist → reed
Status: NEW → ASSIGNED
Attachment #623524 - Flags: review?(LpSolit)
Okay, thanks for reviewing the bugs.

Laurens,
Severity: normal → minor
Laurens: thanks for reporting these bugs. Can you tell us how you are finding them? Code inspection? Or do you have a tool of some sort?

Gerv
I was manually looking for "os injection" in the "advanced search" section.
But then I found these csrf vulnerabilities by accident.

Laurens,
Comment on attachment 623524 [details] [diff] [review]
patch - v1

This looks good, but you should also protect nukedefaultquery in query.cgi. You can reuse the same token.
Attachment #623524 - Flags: review?(LpSolit) → review-
(In reply to Frédéric Buclin from comment #6)
> This looks good, but you should also protect nukedefaultquery in query.cgi.
> You can reuse the same token.

That's bug 754673.
Attachment #623524 - Flags: review- → review?(LpSolit)
Comment on attachment 623524 [details] [diff] [review]
patch - v1

>=== modified file 'template/en/default/search/knob.html.tmpl'

>+<input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]">

To decrease the number of calls to issue_hash_token(), only call it if the user is logged in. Also, note that you will now get an error if you are not yet logged in when the "and remember these as my default search options" checkbox is checked. To mitigate this problem, I suggest that this checkbox is hidden when the user is logged out. This will also remove one checkbox from the already complex search form for logged out users. :)
Attachment #623524 - Flags: review?(LpSolit) → review-
Attached patch patch - v2Splinter Review
Attachment #623524 - Attachment is obsolete: true
Attachment #627964 - Flags: review?(LpSolit)
Comment on attachment 627964 [details] [diff] [review]
patch - v2

r=LpSolit
Attachment #627964 - Flags: review?(LpSolit) → review+
You can remove the sec flag once it's checked in.
Flags: approval4.2+
Flags: approval+
Target Milestone: --- → Bugzilla 4.2
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified buglist.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8250.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified buglist.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8093.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Summary: CSRF: query.cgi - default search options → CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
Blocks: 772953
Blocks: 786310
You need to log in before you can comment on or make changes to this bug.