The default bug view has changed. See this FAQ.

CSRF vulnerability in query.cgi allows possible unauthorized use of "Set my default search back to the system default"

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Query/Bug List
--
minor
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: laurens.bal, Assigned: reed)

Tracking

(Blocks: 1 bug)

4.0.6
Bugzilla 4.2
Bug Flags:
approval +
approval4.2 +

Details

(Whiteboard: [infrasec:csrf][ws:low])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Query.cgi is vulnerable to crsf.
The link "Set my default search back to the system default" has no protection against an crsf attack.
(Reporter)

Comment 1

5 years ago
Created attachment 623503 [details]
POC
(Assignee)

Updated

5 years ago
Assignee: nobody → query-and-buglist
Severity: critical → normal
Status: UNCONFIRMED → NEW
Component: General → Query/Bug List
Ever confirmed: true
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Whiteboard: [infrasec:csrf][ws:low]
Version: Current → 4.0.6
(Assignee)

Comment 2

5 years ago
Created attachment 623521 [details] [diff] [review]
patch - v1

I think this should do it. Could move the token check under the if ($userid) check, but it doesn't really matter, as a token will always be generated, so might as well check it, even if it has no use when the user is not logged in.
Assignee: query-and-buglist → reed
Status: NEW → ASSIGNED
Attachment #623521 - Flags: review?(LpSolit)
(Reporter)

Comment 3

5 years ago
Does is this eligble for the bounty program?
Because it is a csrf vulnerability on bugzilla.mozilla.org --->

http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
(Assignee)

Comment 4

5 years ago
(In reply to laurens.bal from comment #3)
> Does is this eligble for the bounty program?
> Because it is a csrf vulnerability on bugzilla.mozilla.org --->
> 
> http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs

That's up to the folks who administrate the bounty program. You may contact security [@] mozilla.org to discuss that with them.

Either way, thank you for reporting this issue. We definitely appreciate your submission, and we welcome any future reports.

Updated

5 years ago
Severity: normal → minor
The impact of this is very low; having your default search reset would be classed as a "minor annoyance".

Gerv
Although a bug, a minor annoyance does not qualify for a web bounty
(Reporter)

Comment 8

5 years ago
I agree

Comment 9

5 years ago
Comment on attachment 623521 [details] [diff] [review]
patch - v1

>=== modified file 'query.cgi'

> if ($cgi->param('nukedefaultquery')) {
>+    my $token = $cgi->param('token');
>+    check_hash_token($token, ['nukedefaultquery']);
>     if ($userid) {

The token is only generated if userdefaultquery is true, i.e. only if the user is logged in. So it doesn't make sense to check the token for logged out users as nukedefaultquery has no effect for these users (and the error message would be confusing). So please move the token check inside |if ($userid)|. Otherwise your patch looks good.
Attachment #623521 - Flags: review?(LpSolit) → review-
(Assignee)

Comment 10

5 years ago
Created attachment 627507 [details] [diff] [review]
patch - v2
Attachment #623521 - Attachment is obsolete: true
Attachment #627507 - Flags: review?(LpSolit)

Comment 11

5 years ago
Comment on attachment 627507 [details] [diff] [review]
patch - v2

r=LpSolit
Attachment #627507 - Flags: review?(LpSolit) → review+

Comment 12

5 years ago
I don't want to break older installations by requiring a token for such a minor thing. So a=me for 4.2 and trunk only. You can commit this patch now and remove the security flag once it's committed.
Flags: approval4.2+
Flags: approval+
Target Milestone: --- → Bugzilla 4.2
(Assignee)

Comment 13

5 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified query.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8248.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified query.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8092.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Summary: CSRF: query.cgi - "Set my default search back to the system default" → CSRF vulnerability in query.cgi allows possible unauthorized use of "Set my default search back to the system default"

Updated

4 years ago
Blocks: 835424
You need to log in before you can comment on or make changes to this bug.