Closed Bug 754673 Opened 12 years ago Closed 12 years ago

CSRF vulnerability in query.cgi allows possible unauthorized use of "Set my default search back to the system default"

Categories

(Bugzilla :: Query/Bug List, defect)

4.0.6
defect
Not set
minor

Tracking

()

RESOLVED FIXED
Bugzilla 4.2

People

(Reporter: laurens.bal, Assigned: reed)

Details

(Whiteboard: [infrasec:csrf][ws:low])

Attachments

(2 files, 1 obsolete file)

Query.cgi is vulnerable to crsf.
The link "Set my default search back to the system default" has no protection against an crsf attack.
Attached file POC
Assignee: nobody → query-and-buglist
Severity: critical → normal
Status: UNCONFIRMED → NEW
Component: General → Query/Bug List
Ever confirmed: true
OS: Windows 7 → All
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: general → default-qa
Hardware: x86_64 → All
Whiteboard: [infrasec:csrf][ws:low]
Version: Current → 4.0.6
Attached patch patch - v1 (obsolete) — Splinter Review
I think this should do it. Could move the token check under the if ($userid) check, but it doesn't really matter, as a token will always be generated, so might as well check it, even if it has no use when the user is not logged in.
Assignee: query-and-buglist → reed
Status: NEW → ASSIGNED
Attachment #623521 - Flags: review?(LpSolit)
Does is this eligble for the bounty program?
Because it is a csrf vulnerability on bugzilla.mozilla.org --->

http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
(In reply to laurens.bal from comment #3)
> Does is this eligble for the bounty program?
> Because it is a csrf vulnerability on bugzilla.mozilla.org --->
> 
> http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs

That's up to the folks who administrate the bounty program. You may contact security [@] mozilla.org to discuss that with them.

Either way, thank you for reporting this issue. We definitely appreciate your submission, and we welcome any future reports.
Severity: normal → minor
The impact of this is very low; having your default search reset would be classed as a "minor annoyance".

Gerv
Although a bug, a minor annoyance does not qualify for a web bounty
I agree
Comment on attachment 623521 [details] [diff] [review]
patch - v1

>=== modified file 'query.cgi'

> if ($cgi->param('nukedefaultquery')) {
>+    my $token = $cgi->param('token');
>+    check_hash_token($token, ['nukedefaultquery']);
>     if ($userid) {

The token is only generated if userdefaultquery is true, i.e. only if the user is logged in. So it doesn't make sense to check the token for logged out users as nukedefaultquery has no effect for these users (and the error message would be confusing). So please move the token check inside |if ($userid)|. Otherwise your patch looks good.
Attachment #623521 - Flags: review?(LpSolit) → review-
Attached patch patch - v2Splinter Review
Attachment #623521 - Attachment is obsolete: true
Attachment #627507 - Flags: review?(LpSolit)
Comment on attachment 627507 [details] [diff] [review]
patch - v2

r=LpSolit
Attachment #627507 - Flags: review?(LpSolit) → review+
I don't want to break older installations by requiring a token for such a minor thing. So a=me for 4.2 and trunk only. You can commit this patch now and remove the security flag once it's committed.
Flags: approval4.2+
Flags: approval+
Target Milestone: --- → Bugzilla 4.2
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified query.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8248.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified query.cgi
modified template/en/default/search/knob.html.tmpl
Committed revision 8092.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Summary: CSRF: query.cgi - "Set my default search back to the system default" → CSRF vulnerability in query.cgi allows possible unauthorized use of "Set my default search back to the system default"
You need to log in before you can comment on or make changes to this bug.