CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Query/Bug List
--
minor
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: laurens.bal, Assigned: reed)

Tracking

(Blocks: 1 bug)

4.0.6
Bugzilla 4.2
Dependency tree / graph
Bug Flags:
approval +
approval4.2 +

Details

(Whiteboard: [infrasec:csrf][ws:low])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 623502 [details]
Poc

Query.cgi is vulnerable to crsf.
The checkbox "and remember these as my default search options " has no protection against an crsf attack.
(Reporter)

Updated

5 years ago
Severity: normal → critical
(Assignee)

Updated

5 years ago
Assignee: nobody → query-and-buglist
Severity: critical → normal
Status: UNCONFIRMED → NEW
Component: General → Query/Bug List
Ever confirmed: true
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Whiteboard: [infrasec:csrf][ws:low]
Version: Current → 4.0.6
(Assignee)

Comment 1

5 years ago
Created attachment 623524 [details] [diff] [review]
patch - v1

I believe this should do it. Since this is just a selection on the search knob, I generate a hash token for the entire knob, but I only check it if remtype == "asdefault". I think that's reasonable enough...
Assignee: query-and-buglist → reed
Status: NEW → ASSIGNED
Attachment #623524 - Flags: review?(LpSolit)
(Reporter)

Comment 2

5 years ago
Okay, thanks for reviewing the bugs.

Laurens,

Updated

5 years ago
Severity: normal → minor
Laurens: thanks for reporting these bugs. Can you tell us how you are finding them? Code inspection? Or do you have a tool of some sort?

Gerv
(Reporter)

Comment 4

5 years ago
I was manually looking for "os injection" in the "advanced search" section.
But then I found these csrf vulnerabilities by accident.

Laurens,

Comment 6

5 years ago
Comment on attachment 623524 [details] [diff] [review]
patch - v1

This looks good, but you should also protect nukedefaultquery in query.cgi. You can reuse the same token.
Attachment #623524 - Flags: review?(LpSolit) → review-
(Assignee)

Comment 7

5 years ago
(In reply to Frédéric Buclin from comment #6)
> This looks good, but you should also protect nukedefaultquery in query.cgi.
> You can reuse the same token.

That's bug 754673.
(Assignee)

Updated

5 years ago
Attachment #623524 - Flags: review- → review?(LpSolit)

Comment 8

5 years ago
Comment on attachment 623524 [details] [diff] [review]
patch - v1

>=== modified file 'template/en/default/search/knob.html.tmpl'

>+<input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]">

To decrease the number of calls to issue_hash_token(), only call it if the user is logged in. Also, note that you will now get an error if you are not yet logged in when the "and remember these as my default search options" checkbox is checked. To mitigate this problem, I suggest that this checkbox is hidden when the user is logged out. This will also remove one checkbox from the already complex search form for logged out users. :)
Attachment #623524 - Flags: review?(LpSolit) → review-
(Assignee)

Comment 9

5 years ago
Created attachment 627964 [details] [diff] [review]
patch - v2
Attachment #623524 - Attachment is obsolete: true
Attachment #627964 - Flags: review?(LpSolit)

Comment 10

5 years ago
Comment on attachment 627964 [details] [diff] [review]
patch - v2

r=LpSolit
Attachment #627964 - Flags: review?(LpSolit) → review+

Comment 11

5 years ago
You can remove the sec flag once it's checked in.
Flags: approval4.2+
Flags: approval+
Target Milestone: --- → Bugzilla 4.2
(Assignee)

Comment 12

5 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified buglist.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8250.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified buglist.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8093.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Summary: CSRF: query.cgi - default search options → CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
Blocks: 772953
Blocks: 786310

Updated

4 years ago
Blocks: 835424
You need to log in before you can comment on or make changes to this bug.