Last Comment Bug 802204 - (CVE-2012-4197) [SECURITY] Marking an attachment you cannot see as obsolete can disclose its description
(CVE-2012-4197)
: [SECURITY] Marking an attachment you cannot see as obsolete can disclose its ...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 2.16
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on: 98602
Blocks: 805640
  Show dependency treegraph
 
Reported: 2012-10-16 09:33 PDT by Frédéric Buclin
Modified: 2012-11-14 04:30 PST (History)
3 users (show)
LpSolit: approval+
LpSolit: approval4.4+
LpSolit: blocking4.4+
LpSolit: approval4.2+
LpSolit: blocking4.2.4+
LpSolit: approval4.0+
LpSolit: blocking4.0.9+
LpSolit: approval3.6+
LpSolit: blocking3.6.12+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 4.2 and older, v1 (1.33 KB, patch)
2012-10-16 09:51 PDT, Frédéric Buclin
gerv: review+
Details | Diff | Splinter Review
patch for 4.4 and trunk, v1 (630 bytes, patch)
2012-11-12 09:58 PST, Frédéric Buclin
LpSolit: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2012-10-16 09:33:08 PDT
If an attachment is in a bug you cannot see but for some reason you know its ID (e.g. because bugbot reports the attachment ID on IRC when someone requests/grants/denies review), it's trivial to get its description despite you cannot access the attachment nor the bug:

Imagine you can access the public bug 3 and the attachment 1 [details] [diff] [review] is in the private bug 4. All you have to do is to type this URL in your web browser (with a valid token, but you can extract it from the HTML form):

 attachment.cgi?action=insert&bugid=3&obsolete=1&token=XXXXXXX

Bugzilla will detect the mismatch and throws:

"Attachment 1 [details] [diff] (patch to fix the vulnerability in Foo.cpp when doing action X) is attached to bug 4, but you tried to flag it as obsolete while creating a new attachment to bug 3."

The error message disclosed the description of the attachment, despite you cannot access it!

This vulnerability exists since Bugzilla 2.16, see bug 98602!
Comment 1 Frédéric Buclin 2012-10-16 09:36:12 PDT
Note that if the attachment is private, the description is not disclosed. If you don't have editbugs privs, the description is also not disclosed. But it's pretty common to have editbugs privs (e.g. on bmo), and attachments in private bugs are usually not marked private themselves, so this is exploitable.
Comment 2 Frédéric Buclin 2012-10-16 09:51:42 PDT
Created attachment 671907 [details] [diff] [review]
patch for 4.2 and older, v1

This patch applies cleanly to all supported branches.
Comment 3 Gervase Markham [:gerv] 2012-10-17 02:19:56 PDT
Comment on attachment 671907 [details] [diff] [review]
patch for 4.2 and older, v1

r=gerv. However, I continue to maintain that we should be doing security checks inside objects, and objects should never provide information that the requesting user is not permitted to see. Our internal APIs should be security-safe by default.

Gerv
Comment 4 Frédéric Buclin 2012-11-12 09:58:31 PST
Created attachment 680680 [details] [diff] [review]
patch for 4.4 and trunk, v1

Unbittroten patch for 4.4 and trunk due to the checkin of bug 676844. The change in the error message has already been committed as part of bug 676844.
Comment 5 Frédéric Buclin 2012-11-13 09:25:56 PST
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 8467.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified Bugzilla/Attachment.pm
Committed revision 8452.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 8166.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7732.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7306.
Comment 6 Frédéric Buclin 2012-11-14 04:30:13 PST
Security advisory sent. Removing the security flag.

Note You need to log in before you can comment on or make changes to this bug.