Closed
Bug 1250114
Opened 9 years ago
Closed 9 years ago
XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
Categories
(Bugzilla :: User Interface, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.4
People
(Reporter: buglloc, Assigned: dylan)
References
Details
(Keywords: sec-moderate, wsec-xss)
Attachments
(2 files)
(deleted),
image/png
|
Details | |
(deleted),
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Steps to reproduce:
Hi,
I would like to report Cross site scripting vulnerability.
Steps to reproduce :
1. Navigate to: https://bugzilla.mozilla.org/page.cgi?id=productdashboard.html&product=Participation%20Infrastructure&tab=components&bug_status=%27-prompt(%27xss%27)-%27
2. Switch to any tab ("Recents", "Components/Versions", "Duplicates", etc)
Actual results:
Javascript get executed.
Expected results:
Javascript must not been executed :)
Comment 1•9 years ago
|
||
Confirmed. BMO-specific.
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → Extensions: ProductDashboard
Ever confirmed: true
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Assignee | ||
Comment 2•9 years ago
|
||
Very unfortunate. :(
I think this is the fault of global/tabs.html.tmpl.
I think that is only used by productdashboard and the search tabs. Search tabs do not allow user-generated content
into the tabs array.
I note that global/tabs.html.tmpl exists in the filterexceptions.pl -- which I think adds insult to injury.
Working on a fix next.
Assignee: nobody → dylan
Assignee | ||
Updated•9 years ago
|
Summary: XSS in page.cgi (bug_status parameter) → XSS in Product Dashboard (bug_status parameter)
Assignee | ||
Comment 3•9 years ago
|
||
filterexceptions isn't the cause of this error. The value in question was already filtered -- for HTML content.
We need to filter tabs.link for JS and then for HTML.
Alternatively, we could remove the onclick handler, as it seems to be pretty useless.
Attachment #8721968 -
Flags: review?(dkl)
Comment on attachment 8721968 [details] [diff] [review]
1250114_1.patch
Review of attachment 8721968 [details] [diff] [review]:
-----------------------------------------------------------------
r=glob
Attachment #8721968 -
Flags: review?(dkl) → review+
Assignee | ||
Updated•9 years ago
|
Component: Extensions: ProductDashboard → User Interface
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Summary: XSS in Product Dashboard (bug_status parameter) → XSS in global/tabs.html.tmpl (tab.link not filtered correctly)
Target Milestone: --- → Bugzilla 5.0
Version: Production → 4.2
Updated•9 years ago
|
Flags: sec-bounty?
Comment 5•9 years ago
|
||
This bug has been introduced by bug 321556 in 2.23.4.
Status: NEW → ASSIGNED
Depends on: 321556
Flags: blocking5.0.3?
Flags: blocking4.4.12?
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Summary: XSS in global/tabs.html.tmpl (tab.link not filtered correctly) → [SECURITY] XSS in global/tabs.html.tmpl (tab.link not filtered correctly)
Target Milestone: Bugzilla 5.0 → Bugzilla 4.4
Version: 4.2 → 2.23.4
Comment 6•9 years ago
|
||
Yeah, filterexceptions can tell if values are filtered, but it can't tell if they are filtered the right way :-| Not sure if we'd be able to make it that smart.
Gerv
Assignee | ||
Comment 7•9 years ago
|
||
We definitely can not -- but we can prevent this and future bugs by a having a good CSP policy.
Comment 8•9 years ago
|
||
Actually, this is not a security bug as in a vanilla Bugzilla installation we only have two places where we call global/tabs.html.tmpl, and none of them passes user-controlled data to tabs. So this is rather a security improvement. No need for a secadv, meaning that it can be checked in immediately (after appropriate a+, of course).
Flags: blocking5.0.3?
Flags: blocking4.4.12?
Summary: [SECURITY] XSS in global/tabs.html.tmpl (tab.link not filtered correctly) → XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
Updated•9 years ago
|
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
Assignee | ||
Comment 9•9 years ago
|
||
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
ee24e1e..01ad7ac 4.4 -> 4.4
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
6c705e8..a59f1e9 5.0 -> 5.0
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
a35c986..54f8e93 master -> master
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate,
wsec-xss
Updated•9 years ago
|
Group: bugzilla-security
Updated•8 years ago
|
Attachment #8752937 -
Attachment description: buglloc@yandex.ru,500?,2016-02-22,2016-05-13,2016-05-16,true,,, → buglloc@yandex.ru,500?,2016-02-22,2016-05-13,2016-05-16,true,Andrew Krasichkov,,
Updated•8 years ago
|
Attachment #8752937 -
Attachment description: buglloc@yandex.ru,500?,2016-02-22,2016-05-13,2016-05-16,true,Andrew Krasichkov,, → buglloc@yandex.ru,500,2016-02-22,2016-05-13,2016-05-16,true,Andrew Krasichkov,,
You need to log in
before you can comment on or make changes to this bug.
Description
•