Closed
Bug 765630
Opened 12 years ago
Closed 12 years ago
CSRF on jsonrpc.cgi allow get source of attachments.
Categories
(Bugzilla :: WebService, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: netfuzzerr, Unassigned)
Details
Attachments
(1 file)
560 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1171.0 Safari/537.1 Steps to reproduce: Hello, While visiting "jsonrpc.cgi?method=Bug.attachments¶ms=[{%22attachment_ids%22:[592447]}]" with a admin account is possible get source of security bugs's attachments. PoC: https://bugzilla.mozilla.org/jsonrpc.cgi?method=Bug.attachments¶ms=[{%22attachment_ids%22:[592447]}] Reproduce(to get source): 1. Log on bugzilla.mozilla.org with a admin account. 2. Open poc.html. 3. See the attachment source. Cheers, Mario.
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Attachment #633934 -
Attachment mime type: text/plain → text/html
Updated•12 years ago
|
Assignee: general → webservice
Component: Bugzilla-General → WebService
Target Milestone: --- → Bugzilla 3.6
Version: unspecified → 4.2.1
Comment 2•12 years ago
|
||
This doesn't work for me, even though I definitely can access bug 722098 and attachment 592447 [details]. {"error":{"message":"You are not authorized to access bug #722098. To see this bug, you must first log in to an account with the appropriate permissions.","code":102},"id":"https://bugzilla.mozilla.org/","result":null}
Comment 3•12 years ago
|
||
Per http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/Server/JSONRPC.html#Connecting_via_GET: "For security reasons, when you connect over GET, cookie authentication is not accepted." Has this PoC really been tested? This bug looks invalid to me. Also, the PoC uses a callback, which doesn't exist in 3.6.
Target Milestone: Bugzilla 3.6 → ---
doesn't work for me either, same error message as reed in comment 2.
Comment 5•12 years ago
|
||
OK, so marking this bug as invalid. handle_login() explicitly takes care of that: # If we're being called using GET, we don't allow cookie-based or Env # login, because GET requests can be done cross-domain, and we don't # want private data showing up on another site unless the user # explicitly gives that site their username and password.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•