Last Comment Bug 82781 - describecomponents.cgi doesn't check viewing permissions
: describecomponents.cgi doesn't check viewing permissions
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: x86 Linux
-- normal (vote)
: Bugzilla 2.14
Assigned To: Myk Melez [:myk] [@mykmelez]
: default-qa
Depends on:
Blocks: 66091
  Show dependency treegraph
Reported: 2001-05-25 13:58 PDT by Robert Kaiser
Modified: 2012-12-18 20:46 PST (History)
0 users
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

patch to fix problem (2.45 KB, patch)
2001-05-31 15:10 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review

Description User image Robert Kaiser 2001-05-25 13:58:05 PDT
I faced this one with my private installation of BugZilla 2.12 (see URL).

If you log in a user that isn't allowed to view all groups assinged to products,
the products he has no permissions for are excluded in enter_bug.cgi as well as
in query.cgi - but they still show up in describecomponents.cgi

I even can view all entries there if I'm not logged in as any user...
Comment 1 User image Myk Melez [:myk] [@mykmelez] 2001-05-31 15:10:06 PDT
Created attachment 36717 [details] [diff] [review]
patch to fix problem
Comment 2 User image Myk Melez [:myk] [@mykmelez] 2001-05-31 15:13:12 PDT
One potential security hole with this patch is that if a product doesn't exist
the error message says the product name is invalid, but if a product exists and
the user is not authorized to access it then the error message says the user is
not authorized.  This could potentially allow someone to guess at product names
in order to find out which products exist in the database, even if they would
not be able to get any other information about that product.

I'm not sure whether this can be considered enough of a security hole that we
should print the same message in both situations.  It is similar to the
situation where a cracker enters a correct login name but incorrect password. 
Do we let them know the login name was correct?

Comment 3 User image Myk Melez [:myk] [@mykmelez] 2001-05-31 16:01:07 PDT
Adding "review" keyword to get these on the radars of reviewers (if they aren't
Comment 4 User image Tara Hernandez 2001-06-04 11:34:43 PDT
we don't.  we just say the password is invalid.  i don't think that's something
 to worry about overly much, but feel free to point out that i'm wrong if you
think of something else.

test on main landfill install looks good.

Comment 5 User image Dave Miller [:justdave] ( 2001-06-05 21:34:49 PDT
checked in.
Comment 6 User image Dave Miller [:justdave] ( 2001-09-02 23:42:08 PDT
Moving to Bugzilla product

Note You need to log in before you can comment on or make changes to this bug.