Closed Bug 1252578 Opened 8 years ago Closed 8 years ago

CSRF and SELECT-only SQL execution attack against query_database.html

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dylan, Assigned: dylan)

Details

(Keywords: sec-moderate, wsec-sqli)

Attachments

(1 file, 1 obsolete file)

1252578_1.patch
1.19 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
Note this not confirmed yet, but I'm filing for tracking purposes.
A very very select group would have to be targeted by this

https://bugzilla.mozilla.org/page.cgi?id=query_database.html&query=select%20*%20from%20profiles%20limit%2010

Luckily this also not XSS (the values are html escaped always) but you could manipulate the database in arbitrary ways.
wheew. Okay, database modifications wouldn't work from this because it connects to the shadow db
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: CSRF and SQL execution attack against query_database.html → CSRF and SELECT-only SQL execution attack against query_database.html
Attached patch 1252578_1.patch (obsolete) — Splinter Review 

        Attachment #8725388 -
        Flags: review?(dkl)

    
  

        Attachment #8725388 -
        Flags: review?(dkl)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1252578_1.patchSplinter Review
      

    


  

        Attachment #8725388 -
        Attachment is obsolete: true

        Attachment #8725390 -
        Flags: review?(dkl)

    
    

    
  
Comment on attachment 8725390 [details] [diff] [review]
1252578_1.patch

Review of attachment 8725390 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

::: extensions/BMO/Extension.pm
@@ +2134,5 @@
>      $vars->{query} = $query;
>  
>      if ($query) {
> +        check_hash_token($input->{token}, ['query_database']);
> +        delete_token($input->{token});

Ugh. I realize now that we do not need delete_token() here or in the other patches we pushed out recently. issue_hash_token() does not actually store an entry in the tokens table, it just hashes the 'action' word and site-wide-secret and then does the same again when checking so the DB is not used. Please remove this line and everything is fine. I will file bugs for the other places we/I accidentally added delete_token.

        Attachment #8725390 -
        Flags: review?(dkl) → review+

    
    

    
  
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   844c623..3c360d8  master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

    
    

    
  
Pushed
Group: bugzilla-security

    
    

    
  
(In reply to Dylan William Hardison [:dylan] from comment #2)
> wheew. Okay, database modifications wouldn't work from this because it
> connects to the shadow db

Yes, I was about to report this issue when I realized that production used a shadow database which wouldn't allow modifications. In my test environment on the other hand this bug was rather nasty.
Component: Extensions: BMO → Extensions

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: