The default bug view has changed. See this FAQ.

In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
Bugzilla-General
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: dkl, Assigned: dkl)

Tracking

4.2.6
Bugzilla 4.0
Bug Flags:
approval +
approval4.4 +
blocking4.4.1 +
approval4.2 +
blocking4.2.7 +
approval4.0 +
blocking4.0.11 +

Details

Attachments

(2 attachments)

(Assignee)

Description

4 years ago
Similar to bug 906745, when we check the database for validity of a users login cookie, MySQL does not do the check in a case-sensitive manner which lowers the bar to brute forcing someone's login cookie. We do store the IP address which helps some but it would be better if we pulled the cookie value from the db and then did the comparison in Perl like we did for the fix for bug 906745.

Feel free to remove the privacy bit if you feel this is not necessarily a security problem but more of an enhancement.

dkl
(Assignee)

Comment 1

4 years ago
Created attachment 793654 [details] [diff] [review]
patch for 4.4 and older
Attachment #793654 - Flags: review?(LpSolit)

Updated

4 years ago
Flags: blocking4.4.1+
Flags: blocking4.2.7+
Flags: blocking4.0.11+
Target Milestone: --- → Bugzilla 4.0

Comment 2

4 years ago
Comment on attachment 793654 [details] [diff] [review]
patch for 4.4 and older

r=LpSolit
Attachment #793654 - Flags: review?(LpSolit) → review+

Updated

4 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?

Updated

4 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+

Comment 3

4 years ago
This patch now longer applies cleanly on trunk due to bug 917669. The comment right above |if (...)| has changed.

dkl: could you update it, please, as you are responsible for the bitrot? ;)
(Assignee)

Comment 4

4 years ago
Created attachment 810769 [details] [diff] [review]
patch for trunk

Fixed bit-rot.

dkl
Attachment #793654 - Attachment is obsolete: true
Attachment #810769 - Flags: review+

Updated

4 years ago
Attachment #793654 - Attachment description: 907438_1.patch → patch for 4.4 and older
Attachment #793654 - Attachment is obsolete: false

Updated

4 years ago
Attachment #810769 - Attachment description: 907438_2.patch → patch for trunk
(Assignee)

Comment 5

4 years ago
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.0
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 7758.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.2
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8230.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.4
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8622. 

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/trunk
modified Bugzilla/Auth/Login/Cookie.pm
Committed revision 8776.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Comment 6

4 years ago
Security advisory sent.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.