describecomponents.cgi doesn't check viewing permissions

RESOLVED FIXED in Bugzilla 2.14

Status

()

Bugzilla
Bugzilla-General
RESOLVED FIXED
16 years ago
5 years ago

People

(Reporter: Robert Kaiser, Assigned: myk)

Tracking

unspecified
Bugzilla 2.14
x86
Linux

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
I faced this one with my private installation of BugZilla 2.12 (see URL).

If you log in a user that isn't allowed to view all groups assinged to products,
the products he has no permissions for are excluded in enter_bug.cgi as well as
in query.cgi - but they still show up in describecomponents.cgi

I even can view all entries there if I'm not logged in as any user...
Blocks: 66091
Target Milestone: --- → Bugzilla 2.14
(Assignee)

Comment 1

16 years ago
Created attachment 36717 [details] [diff] [review]
patch to fix problem
(Assignee)

Comment 2

16 years ago
One potential security hole with this patch is that if a product doesn't exist
the error message says the product name is invalid, but if a product exists and
the user is not authorized to access it then the error message says the user is
not authorized.  This could potentially allow someone to guess at product names
in order to find out which products exist in the database, even if they would
not be able to get any other information about that product.

I'm not sure whether this can be considered enough of a security hole that we
should print the same message in both situations.  It is similar to the
situation where a cracker enters a correct login name but incorrect password. 
Do we let them know the login name was correct?

Assignee: tara → myk
Keywords: patch
(Assignee)

Updated

16 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 3

16 years ago
Adding "review" keyword to get these on the radars of reviewers (if they aren't
already).
Keywords: review

Comment 4

16 years ago
we don't.  we just say the password is invalid.  i don't think that's something
 to worry about overly much, but feel free to point out that i'm wrong if you
think of something else.

test on main landfill install looks good.

r=tara
checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: Bugzilla 2.12 → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.