Closed Bug 765630 Opened 12 years ago Closed 12 years ago

CSRF on jsonrpc.cgi allow get source of attachments.

Categories

(Bugzilla :: WebService, defect)

Product:
Bugzilla
Component:
WebService
Version:
4.2.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: netfuzzerr, Unassigned)

Details

Attachments

(1 file)

PoC.html
560 bytes, text/html
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1171.0 Safari/537.1

Steps to reproduce:

Hello,

While visiting "jsonrpc.cgi?method=Bug.attachments&params=[{%22attachment_ids%22:[592447]}]" with a admin account is possible get source of security bugs's attachments.

PoC: https://bugzilla.mozilla.org/jsonrpc.cgi?method=Bug.attachments&params=[{%22attachment_ids%22:[592447]}]

Reproduce(to get source):
1. Log on bugzilla.mozilla.org with a admin account.
2. Open poc.html.
3. See the attachment source.



Cheers,
Mario.
Attached file PoC.html 

    
  

        Attachment #633934 -
        Attachment mime type: text/plain → text/html

    
  
Assignee: general → webservice
Component: Bugzilla-General → WebService
Target Milestone: --- → Bugzilla 3.6
Version: unspecified → 4.2.1

    
    

    
  
This doesn't work for me, even though I definitely can access bug 722098 and attachment 592447 [details].

{"error":{"message":"You are not authorized to access bug #722098. To see this bug, you must first log in to an account with the appropriate permissions.","code":102},"id":"https://bugzilla.mozilla.org/","result":null}

    
    

    
  
Per http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/Server/JSONRPC.html#Connecting_via_GET:

"For security reasons, when you connect over GET, cookie authentication is not accepted."

Has this PoC really been tested? This bug looks invalid to me.

Also, the PoC uses a callback, which doesn't exist in 3.6.
Target Milestone: Bugzilla 3.6 → ---

    
    

    
  
doesn't work for me either, same error message as reed in comment 2.

    
    

    
  
OK, so marking this bug as invalid. handle_login() explicitly takes care of that:

    # If we're being called using GET, we don't allow cookie-based or Env
    # login, because GET requests can be done cross-domain, and we don't
    # want private data showing up on another site unless the user
    # explicitly gives that site their username and password.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: