Closed
Bug 1252578
Opened 8 years ago
Closed 8 years ago
CSRF and SELECT-only SQL execution attack against query_database.html
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dylan, Assigned: dylan)
Details
(Keywords: sec-moderate, wsec-sqli)
Attachments
(1 file, 1 obsolete file)
1.19 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
Note this not confirmed yet, but I'm filing for tracking purposes.
Assignee | ||
Comment 1•8 years ago
|
||
A very very select group would have to be targeted by this https://bugzilla.mozilla.org/page.cgi?id=query_database.html&query=select%20*%20from%20profiles%20limit%2010 Luckily this also not XSS (the values are html escaped always) but you could manipulate the database in arbitrary ways.
Assignee | ||
Comment 2•8 years ago
|
||
wheew. Okay, database modifications wouldn't work from this because it connects to the shadow db
Assignee | ||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•8 years ago
|
Summary: CSRF and SQL execution attack against query_database.html → CSRF and SELECT-only SQL execution attack against query_database.html
Assignee | ||
Comment 3•8 years ago
|
||
Attachment #8725388 -
Flags: review?(dkl)
Assignee | ||
Updated•8 years ago
|
Attachment #8725388 -
Flags: review?(dkl)
Assignee | ||
Comment 4•8 years ago
|
||
Attachment #8725388 -
Attachment is obsolete: true
Attachment #8725390 -
Flags: review?(dkl)
Comment 5•8 years ago
|
||
Comment on attachment 8725390 [details] [diff] [review] 1252578_1.patch Review of attachment 8725390 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl ::: extensions/BMO/Extension.pm @@ +2134,5 @@ > $vars->{query} = $query; > > if ($query) { > + check_hash_token($input->{token}, ['query_database']); > + delete_token($input->{token}); Ugh. I realize now that we do not need delete_token() here or in the other patches we pushed out recently. issue_hash_token() does not actually store an entry in the tokens table, it just hashes the 'action' word and site-wide-secret and then does the same again when checking so the DB is not used. Please remove this line and everything is fine. I will file bugs for the other places we/I accidentally added delete_token.
Attachment #8725390 -
Flags: review?(dkl) → review+
Assignee | ||
Comment 6•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 844c623..3c360d8 master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 8•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #2) > wheew. Okay, database modifications wouldn't work from this because it > connects to the shadow db Yes, I was about to report this issue when I realized that production used a shadow database which wouldn't allow modifications. In my test environment on the other hand this bug was rather nasty.
Updated•8 years ago
|
Keywords: sec-moderate,
wsec-sqli
Updated•5 years ago
|
Component: Extensions: BMO → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•