Closed
Bug 802204
(CVE-2012-4197)
Opened 12 years ago
Closed 12 years ago
[SECURITY] Marking an attachment you cannot see as obsolete can disclose its description
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
Attachments
(2 files)
(deleted),
patch
|
gerv
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
If an attachment is in a bug you cannot see but for some reason you know its ID (e.g. because bugbot reports the attachment ID on IRC when someone requests/grants/denies review), it's trivial to get its description despite you cannot access the attachment nor the bug:
Imagine you can access the public bug 3 and the attachment 1 [details] [diff] [review] is in the private bug 4. All you have to do is to type this URL in your web browser (with a valid token, but you can extract it from the HTML form):
attachment.cgi?action=insert&bugid=3&obsolete=1&token=XXXXXXX
Bugzilla will detect the mismatch and throws:
"Attachment 1 [details] [diff] (patch to fix the vulnerability in Foo.cpp when doing action X) is attached to bug 4, but you tried to flag it as obsolete while creating a new attachment to bug 3."
The error message disclosed the description of the attachment, despite you cannot access it!
This vulnerability exists since Bugzilla 2.16, see bug 98602!
Flags: blocking4.4+
Flags: blocking4.2.4+
Flags: blocking4.0.9+
Flags: blocking3.6.12+
Assignee | ||
Comment 1•12 years ago
|
||
Note that if the attachment is private, the description is not disclosed. If you don't have editbugs privs, the description is also not disclosed. But it's pretty common to have editbugs privs (e.g. on bmo), and attachments in private bugs are usually not marked private themselves, so this is exploitable.
Assignee | ||
Comment 2•12 years ago
|
||
This patch applies cleanly to all supported branches.
Attachment #671907 -
Flags: review?(gerv)
Comment 3•12 years ago
|
||
Comment on attachment 671907 [details] [diff] [review]
patch for 4.2 and older, v1
r=gerv. However, I continue to maintain that we should be doing security checks inside objects, and objects should never provide information that the requesting user is not permitted to see. Our internal APIs should be security-safe by default.
Gerv
Attachment #671907 -
Flags: review?(gerv) → review+
Assignee | ||
Updated•12 years ago
|
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
Updated•12 years ago
|
Alias: CVE-2012-4197
Assignee | ||
Comment 4•12 years ago
|
||
Unbittroten patch for 4.4 and trunk due to the checkin of bug 676844. The change in the error message has already been committed as part of bug 676844.
Attachment #680680 -
Flags: review+
Assignee | ||
Updated•12 years ago
|
Attachment #671907 -
Attachment description: patch, v1 → patch for 4.2 and older, v1
Assignee | ||
Updated•12 years ago
|
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
Assignee | ||
Comment 5•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Attachment.pm
Committed revision 8467.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified Bugzilla/Attachment.pm
Committed revision 8452.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 8166.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7732.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Attachment.pm
modified template/en/default/global/code-error.html.tmpl
Committed revision 7306.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•12 years ago
|
||
Security advisory sent. Removing the security flag.
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•