Last Comment Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force
: In MySQL, login cookie checking is not case-sensitive, reducing total entropy...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: 4.2.6
: All All
: -- normal (vote)
: Bugzilla 4.0
Assigned To: David Lawrence [:dkl]
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-20 15:20 PDT by David Lawrence [:dkl]
Modified: 2013-10-17 07:58 PDT (History)
5 users (show)
mail: approval+
mail: approval4.4+
LpSolit: blocking4.4.1+
mail: approval4.2+
LpSolit: blocking4.2.7+
mail: approval4.0+
LpSolit: blocking4.0.11+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 4.4 and older (993 bytes, patch)
2013-08-21 13:13 PDT, David Lawrence [:dkl]
LpSolit: review+
Details | Diff | Splinter Review
patch for trunk (1.01 KB, patch)
2013-09-26 14:14 PDT, David Lawrence [:dkl]
dkl: review+
Details | Diff | Splinter Review

Description David Lawrence [:dkl] 2013-08-20 15:20:06 PDT
Similar to bug 906745, when we check the database for validity of a users login cookie, MySQL does not do the check in a case-sensitive manner which lowers the bar to brute forcing someone's login cookie. We do store the IP address which helps some but it would be better if we pulled the cookie value from the db and then did the comparison in Perl like we did for the fix for bug 906745.

Feel free to remove the privacy bit if you feel this is not necessarily a security problem but more of an enhancement.

dkl
Comment 1 David Lawrence [:dkl] 2013-08-21 13:13:29 PDT
Created attachment 793654 [details] [diff] [review]
patch for 4.4 and older
Comment 2 Frédéric Buclin 2013-08-31 07:11:56 PDT
Comment on attachment 793654 [details] [diff] [review]
patch for 4.4 and older

r=LpSolit
Comment 3 Frédéric Buclin 2013-09-26 11:42:18 PDT
This patch now longer applies cleanly on trunk due to bug 917669. The comment right above |if (...)| has changed.

dkl: could you update it, please, as you are responsible for the bitrot? ;)
Comment 4 David Lawrence [:dkl] 2013-09-26 14:14:09 PDT
Created attachment 810769 [details] [diff] [review]
patch for trunk

Fixed bit-rot.

dkl
Comment 5 David Lawrence [:dkl] 2013-10-16 09:17:48 PDT
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.0
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 7758.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.2
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8230.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.4
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8622. 

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/trunk
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8776.
Comment 6 Frédéric Buclin 2013-10-17 07:58:54 PDT
Security advisory sent.

Note You need to log in before you can comment on or make changes to this bug.