Last Comment Bug 754672 - CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
: CSRF vulnerability in buglist.cgi allows possible unauthorized setting of def...
Status: RESOLVED FIXED
[infrasec:csrf][ws:low]
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 4.0.6
: All All
: -- minor (vote)
: Bugzilla 4.2
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
Mentors:
Depends on:
Blocks: 835424 772953 786310
  Show dependency treegraph
 
Reported: 2012-05-13 07:55 PDT by laurens.bal
Modified: 2013-01-28 10:07 PST (History)
9 users (show)
LpSolit: approval+
LpSolit: approval4.2+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Poc (3.68 KB, text/plain)
2012-05-13 07:55 PDT, laurens.bal
no flags Details
patch - v1 (988 bytes, patch)
2012-05-13 14:20 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review-
Details | Diff | Review
patch - v2 (1.98 KB, patch)
2012-05-29 08:11 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Review

Description laurens.bal 2012-05-13 07:55:49 PDT
Created attachment 623502 [details]
Poc

Query.cgi is vulnerable to crsf.
The checkbox "and remember these as my default search options " has no protection against an crsf attack.
Comment 1 Reed Loden [:reed] (use needinfo?) 2012-05-13 14:20:41 PDT
Created attachment 623524 [details] [diff] [review]
patch - v1

I believe this should do it. Since this is just a selection on the search knob, I generate a hash token for the entire knob, but I only check it if remtype == "asdefault". I think that's reasonable enough...
Comment 2 laurens.bal 2012-05-13 14:35:16 PDT
Okay, thanks for reviewing the bugs.

Laurens,
Comment 3 Gervase Markham [:gerv] 2012-05-14 01:33:41 PDT
Laurens: thanks for reporting these bugs. Can you tell us how you are finding them? Code inspection? Or do you have a tool of some sort?

Gerv
Comment 4 laurens.bal 2012-05-14 03:31:29 PDT
I was manually looking for "os injection" in the "advanced search" section.
But then I found these csrf vulnerabilities by accident.

Laurens,
Comment 6 Frédéric Buclin 2012-05-26 03:48:16 PDT
Comment on attachment 623524 [details] [diff] [review]
patch - v1

This looks good, but you should also protect nukedefaultquery in query.cgi. You can reuse the same token.
Comment 7 Reed Loden [:reed] (use needinfo?) 2012-05-26 14:00:14 PDT
(In reply to Frédéric Buclin from comment #6)
> This looks good, but you should also protect nukedefaultquery in query.cgi.
> You can reuse the same token.

That's bug 754673.
Comment 8 Frédéric Buclin 2012-05-29 05:12:23 PDT
Comment on attachment 623524 [details] [diff] [review]
patch - v1

>=== modified file 'template/en/default/search/knob.html.tmpl'

>+<input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]">

To decrease the number of calls to issue_hash_token(), only call it if the user is logged in. Also, note that you will now get an error if you are not yet logged in when the "and remember these as my default search options" checkbox is checked. To mitigate this problem, I suggest that this checkbox is hidden when the user is logged out. This will also remove one checkbox from the already complex search form for logged out users. :)
Comment 9 Reed Loden [:reed] (use needinfo?) 2012-05-29 08:11:12 PDT
Created attachment 627964 [details] [diff] [review]
patch - v2
Comment 10 Frédéric Buclin 2012-05-29 08:19:45 PDT
Comment on attachment 627964 [details] [diff] [review]
patch - v2

r=LpSolit
Comment 11 Frédéric Buclin 2012-05-29 08:20:15 PDT
You can remove the sec flag once it's checked in.
Comment 12 Reed Loden [:reed] (use needinfo?) 2012-05-29 08:24:19 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified buglist.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8250.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified buglist.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8093.

Note You need to log in before you can comment on or make changes to this bug.