FogBugz Technical Support

A forum for technical support discussion related to Fogbugz.
The current FogBugz Knowledge Base can be found at http://help.fogcreek.com/fogbugz.

Posts by Fog Creek Employees are marked:

Documentation
Release Notes
Network Status

Security problem with /FogBugz/KB/howto/GiveCaseNumbersaUniqueP

Hi!

The information on
http://www.fogcreek.com/FogBugz/KB/howto/GiveCaseNumbersaUniquePre.html
made me think what would happen if I send random email to e.g. FogCreek support with "case $RND$" in it.

Would I reopen and disturbe your whole installation?

I don't understand this workaround with the prefix, it seems to me like that problem actually happened and was not thought out well enough.

You already add 4 random letters, stored in the databse to allow web-access to submitted cases. Why don't you use this to make a "secure" case-number which cannot be known to anybody?

I would never programm something where anybody could influence internal stuff by email automatically.

Are there at least protections that someone from outside cannot mess with internal BUGS (instead of inquiries?)

I think that this is not a feature request, but rather some kind of security threat/data loss or corruption issue!

Sunday, September 23, 2007
 
 
I have a related question:
Is there any way to disguise the rate with which we get support calls and do work on projects to our outside customers?

They would always have the possibility to send some junk from a freemail adress to measure our working rate.

I don't want our competition or customers know how much we sell!
Christian
Sunday, September 23, 2007
 
 
It's certainly not a data loss problem since FogBugz never deletes anything.

Your question though seems to suggest that allowing people to add data to your FogBugz install is a security hole.  If that applies to you then just don't add any public projects to FogBugz (so no one can submit cases via the web) and don't add any mailboxes ( so no one can submit cases via email).  Don't use BugzScout either.
Michael H. Pryor Send private email
Monday, September 24, 2007
 
 
I will certainly not use submit by web or bugscoutz directly and will not put the installation on the internet, that would be insane! (I trust you to take care of security, but there is still a big risk!)

But I DO want to use mailboxes, that's half of why I bought it.

It seems very strange that anybody can mess with the existing cases.

I never saw that in any other self service system on the internt where I would get case numbers. They were always random looking, not incrementing and not unprotected.

Maybe it's possible to patch FogBugz so that it calls two self written hooks, one when parsing subject lines, one when creating them to mulitply the case numbers, add some random modulo, add some parts of a HMAC of the new case number and write that out as ticket number.

One additional question: Will only the subject line of incoming messages be parsed or will FogBugz also create refrences when it finds the magic words "case 12345" in the body of the mail?`

But nevertheless, I think that this is a valid issue and you should have seen it coming when your first cases collided with customer cases!

It probably should be fixed for next version, shouldn't it?

Monday, September 24, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz Bug Tracking and Evidence-Based Scheduling.