Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264572 (CVE-2009-1213) - <www-apps/bugzilla-{3.2.3, 3.3.4} attachment.cgi CSRF (CVE-2009-1213)
Summary: <www-apps/bugzilla-{3.2.3, 3.3.4} attachment.cgi CSRF (CVE-2009-1213)
Status: RESOLVED FIXED
Alias: CVE-2009-1213
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.bugzilla.org/security/3.2.2/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-01 23:45 UTC by Robert Buchholz (RETIRED)
Modified: 2010-06-04 05:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-01 23:45:59 UTC 
CVE-2009-1213 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1213):
  Cross-site request forgery (CSRF) vulnerability in attachment.cgi in
  Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions
  allows remote attackers to hijack the authentication of arbitrary
  users for requests that use attachment editing.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-01 23:46:59 UTC 
quoting Mozilla:

Versions:    Every version before 3.2.3 or 3.3.4
Fixed In:    3.2.3, 3.3.4
Description: Attachment editing was vulnerable to a cross-site request
             forgery, because it did not validate that calls to
             attachment.cgi actually came from Bugzilla.

             Bugzilla now generates a token that is validated when
             an attachment is edited. Unfortunately, a fix for this issue
             was only possible for 3.2.3 and 3.3.4. Fixing it on earlier
             branches was not possible as attachment timestamps are not
             available to generate and validate tokens.

Reference:   https://bugzilla.mozilla.org/show_bug.cgi?id=476603
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 07:34:57 UTC 
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:17:33 UTC 
GLSA 201006-19