Query.cgi is vulnerable to crsf. The checkbox "and remember these as my default search options " has no protection against an crsf attack.
Assignee: nobody → query-and-buglist
Severity: critical → normal
Status: UNCONFIRMED → NEW
Component: General → Query/Bug List
Ever confirmed: true
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Version: Current → 4.0.6
I believe this should do it. Since this is just a selection on the search knob, I generate a hash token for the entire knob, but I only check it if remtype == "asdefault". I think that's reasonable enough...
Assignee: query-and-buglist → reed
Status: NEW → ASSIGNED
Attachment #623524 - Flags: review?(LpSolit)
Okay, thanks for reviewing the bugs. Laurens,
Laurens: thanks for reporting these bugs. Can you tell us how you are finding them? Code inspection? Or do you have a tool of some sort? Gerv
I was manually looking for "os injection" in the "advanced search" section. But then I found these csrf vulnerabilities by accident. Laurens,
Comment on attachment 623524 [details] [diff] [review] patch - v1 This looks good, but you should also protect nukedefaultquery in query.cgi. You can reuse the same token.
(In reply to Frédéric Buclin from comment #6) > This looks good, but you should also protect nukedefaultquery in query.cgi. > You can reuse the same token. That's bug 754673.
Attachment #623524 - Flags: review- → review?(LpSolit)
Comment on attachment 623524 [details] [diff] [review] patch - v1 >=== modified file 'template/en/default/search/knob.html.tmpl' >+<input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]"> To decrease the number of calls to issue_hash_token(), only call it if the user is logged in. Also, note that you will now get an error if you are not yet logged in when the "and remember these as my default search options" checkbox is checked. To mitigate this problem, I suggest that this checkbox is hidden when the user is logged out. This will also remove one checkbox from the already complex search form for logged out users. :)
Comment on attachment 627964 [details] [diff] [review] patch - v2 r=LpSolit
Attachment #627964 - Flags: review?(LpSolit) → review+
You can remove the sec flag once it's checked in.
Target Milestone: --- → Bugzilla 4.2
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified buglist.cgi modified template/en/default/search/knob.html.tmpl Committed revision 8250. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/ modified buglist.cgi modified template/en/default/search/knob.html.tmpl Committed revision 8093.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Summary: CSRF: query.cgi - default search options → CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
You need to log in before you can comment on or make changes to this bug.