Last Comment Bug 754673 - CSRF vulnerability in query.cgi allows possible unauthorized use of "Set my default search back to the system default"
: CSRF vulnerability in query.cgi allows possible unauthorized use of "Set my d...
Status: RESOLVED FIXED
[infrasec:csrf][ws:low]
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 4.0.6
: All All
: -- minor (vote)
: Bugzilla 4.2
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
Mentors:
Depends on:
Blocks: 835424
  Show dependency treegraph
 
Reported: 2012-05-13 08:02 PDT by laurens.bal
Modified: 2013-01-28 10:07 PST (History)
9 users (show)
LpSolit: approval+
LpSolit: approval4.2+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
POC (102 bytes, text/plain)
2012-05-13 08:03 PDT, laurens.bal
no flags Details
patch - v1 (1.06 KB, patch)
2012-05-13 13:55 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review-
Details | Diff | Splinter Review
patch - v2 (1.10 KB, patch)
2012-05-26 14:04 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review

Description laurens.bal 2012-05-13 08:02:32 PDT
Query.cgi is vulnerable to crsf.
The link "Set my default search back to the system default" has no protection against an crsf attack.
Comment 1 laurens.bal 2012-05-13 08:03:07 PDT
Created attachment 623503 [details]
POC
Comment 2 Reed Loden [:reed] (use needinfo?) 2012-05-13 13:55:08 PDT
Created attachment 623521 [details] [diff] [review]
patch - v1

I think this should do it. Could move the token check under the if ($userid) check, but it doesn't really matter, as a token will always be generated, so might as well check it, even if it has no use when the user is not logged in.
Comment 3 laurens.bal 2012-05-13 14:05:30 PDT
Does is this eligble for the bounty program?
Because it is a csrf vulnerability on bugzilla.mozilla.org --->

http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Comment 4 Reed Loden [:reed] (use needinfo?) 2012-05-13 14:24:34 PDT
(In reply to laurens.bal from comment #3)
> Does is this eligble for the bounty program?
> Because it is a csrf vulnerability on bugzilla.mozilla.org --->
> 
> http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs

That's up to the folks who administrate the bounty program. You may contact security [@] mozilla.org to discuss that with them.

Either way, thank you for reporting this issue. We definitely appreciate your submission, and we welcome any future reports.
Comment 5 Gervase Markham [:gerv] 2012-05-14 01:32:24 PDT
The impact of this is very low; having your default search reset would be classed as a "minor annoyance".

Gerv
Comment 7 Daniel Veditz [:dveditz] 2012-05-14 16:14:44 PDT
Although a bug, a minor annoyance does not qualify for a web bounty
Comment 8 laurens.bal 2012-05-14 21:53:45 PDT
I agree
Comment 9 Frédéric Buclin 2012-05-17 17:30:24 PDT
Comment on attachment 623521 [details] [diff] [review]
patch - v1

>=== modified file 'query.cgi'

> if ($cgi->param('nukedefaultquery')) {
>+    my $token = $cgi->param('token');
>+    check_hash_token($token, ['nukedefaultquery']);
>     if ($userid) {

The token is only generated if userdefaultquery is true, i.e. only if the user is logged in. So it doesn't make sense to check the token for logged out users as nukedefaultquery has no effect for these users (and the error message would be confusing). So please move the token check inside |if ($userid)|. Otherwise your patch looks good.
Comment 10 Reed Loden [:reed] (use needinfo?) 2012-05-26 14:04:01 PDT
Created attachment 627507 [details] [diff] [review]
patch - v2
Comment 11 Frédéric Buclin 2012-05-29 04:47:46 PDT
Comment on attachment 627507 [details] [diff] [review]
patch - v2

r=LpSolit
Comment 12 Frédéric Buclin 2012-05-29 04:50:21 PDT
I don't want to break older installations by requiring a token for such a minor thing. So a=me for 4.2 and trunk only. You can commit this patch now and remove the security flag once it's committed.
Comment 13 Reed Loden [:reed] (use needinfo?) 2012-05-29 07:53:32 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified query.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8248.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified query.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8092.

Note You need to log in before you can comment on or make changes to this bug.