802204 - (CVE-2012-4197) [SECURITY] Marking an attachment you cannot see as obsolete can disclose its description

Status: RESOLVED FIXED

(Bugzilla :: Attachments & Requests, defect)

Description

[Frédéric Buclin]

If an attachment is in a bug you cannot see but for some reason you know its ID (e.g. because bugbot reports the attachment ID on IRC when someone requests/grants/denies review), it's trivial to get its description despite you cannot access the attachment nor the bug:

Imagine you can access the public bug 3 and the attachment 1 [details] [diff] [review] is in the private bug 4. All you have to do is to type this URL in your web browser (with a valid token, but you can extract it from the HTML form):

 attachment.cgi?action=insert&bugid=3&obsolete=1&token=XXXXXXX

Bugzilla will detect the mismatch and throws:

"Attachment 1 [details] [diff] (patch to fix the vulnerability in Foo.cpp when doing action X) is attached to bug 4, but you tried to flag it as obsolete while creating a new attachment to bug 3."

The error message disclosed the description of the attachment, despite you cannot access it!

This vulnerability exists since Bugzilla 2.16, see bug 98602!

Comment 1

[Frédéric Buclin]

Note that if the attachment is private, the description is not disclosed. If you don't have editbugs privs, the description is also not disclosed. But it's pretty common to have editbugs privs (e.g. on bmo), and attachments in private bugs are usually not marked private themselves, so this is exploitable.

Comment 2

[Frédéric Buclin]

Attachment: patch for 4.2 and older, v1

This patch applies cleanly to all supported branches.

Comment 3

[Gervase Markham [:gerv]]

Comment on attachment 671907 [details] [diff] [review]
patch for 4.2 and older, v1

r=gerv. However, I continue to maintain that we should be doing security checks inside objects, and objects should never provide information that the requesting user is not permitted to see. Our internal APIs should be security-safe by default.

Gerv

Comment 4

[Frédéric Buclin]

Attachment: patch for 4.4 and trunk, v1

Unbittroten patch for 4.4 and trunk due to the checkin of bug 676844. The change in the error message has already been committed as part of bug 676844.

Comment 5

[Frédéric Buclin]

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 8467.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified Bugzilla/Attachment.pm
Committed revision 8452.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 8166.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7732.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7306.

Comment 6

[Frédéric Buclin]

Security advisory sent. Removing the security flag.