Avoiding Future Security Bug Regressions

Max Kanat-Alexander mkanat at bugzilla.org
Sun Feb 8 19:06:26 UTC 2009


On Sun, 08 Feb 2009 11:58:42 +0100 Gervase Markham <gerv at mozilla.org>
wrote:
> My understanding of what happened would not lead me to use the words
> "extremely dangerous" - so perhaps I have misunderstood.
> 
> Why were the particular regressions we had "extremely dangerous"?

	They theoretically allowed a persistent-enough attacker to
access a private attachment (which on bmo includes security PoCs, as
you know) without authorization. (The token was predictable enough
[always the same, effectively] that all they had to do was eventually
get their request in-between the request and redirect of a real
attachment.cgi user--probably easy enough on bmo, with how frequent
requests are.)

	They also defeated all CSRF protection, which is particularly
bad after we had publicized the attachment issue.

	-Max
-- 
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.



More information about the developers mailing list