In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force

RESOLVED FIXED in Bugzilla 4.0

Status

()

defect
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: dkl, Assigned: dkl)

Tracking

4.2.6
Bugzilla 4.0
Bug Flags:
approval +
approval4.4 +
blocking4.4.1 +
approval4.2 +
blocking4.2.7 +
approval4.0 +
blocking4.0.11 +

Details

Attachments

(2 attachments)

Similar to bug 906745, when we check the database for validity of a users login cookie, MySQL does not do the check in a case-sensitive manner which lowers the bar to brute forcing someone's login cookie. We do store the IP address which helps some but it would be better if we pulled the cookie value from the db and then did the comparison in Perl like we did for the fix for bug 906745.

Feel free to remove the privacy bit if you feel this is not necessarily a security problem but more of an enhancement.

dkl
Attachment #793654 - Flags: review?(LpSolit)
Flags: blocking4.4.1+
Flags: blocking4.2.7+
Flags: blocking4.0.11+
Target Milestone: --- → Bugzilla 4.0
Comment on attachment 793654 [details] [diff] [review]
patch for 4.4 and older

r=LpSolit
Attachment #793654 - Flags: review?(LpSolit) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
This patch now longer applies cleanly on trunk due to bug 917669. The comment right above |if (...)| has changed.

dkl: could you update it, please, as you are responsible for the bitrot? ;)
Fixed bit-rot.

dkl
Attachment #793654 - Attachment is obsolete: true
Attachment #810769 - Flags: review+
Attachment #793654 - Attachment description: 907438_1.patch → patch for 4.4 and older
Attachment #793654 - Attachment is obsolete: false
Attachment #810769 - Attachment description: 907438_2.patch → patch for trunk
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.0
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 7758.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.2
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8230.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.4
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8622. 

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/trunk
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8776.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Security advisory sent.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.