Closed
Bug 434550
Opened 16 years ago
Closed 16 years ago
XSS vulnerability in SUMO error page
Categories
(support.mozilla.org :: General, defect, P1)
support.mozilla.org
General
Tracking
(Not tracked)
VERIFIED
FIXED
0.6
People
(Reporter: bsterne, Assigned: nkoth)
References
()
Details
(Keywords: wsec-xss, Whiteboard: sumo_only)
Attachments
(1 file)
1.01 KB,
patch
|
laura
:
review+
|
Details | Diff | Splinter Review |
One of the tiki error pages uses the the URL parameter "error" as its display message. This can be used for XSS or simply website defacement. Here is an example attack URL: http://support.mozilla.com/tiki-error.php?error=<a+href="javascript:alert(document.cookie)">Click+Me</a>
Reporter | ||
Updated•16 years ago
|
Group: webtools-security
Updated•16 years ago
|
Assignee: nobody → nelson
Severity: major → blocker
Priority: -- → P1
Target Milestone: --- → 0.6
Assignee | ||
Comment 1•16 years ago
|
||
Attachment #321667 -
Flags: review?(laura)
Assignee | ||
Updated•16 years ago
|
Status: NEW → ASSIGNED
Reporter | ||
Comment 2•16 years ago
|
||
A couple of comments on the attached patch: 1) you probably don't need to re-assign $_REQUEST["error"] as its escaped self since you are later displaying it using the same escaping functions. 2) a better approach for this type of page would be to have a set of pre-determined error messages that can be chosen from by specifying an error ID in the URL. This is better than echoing a string that an attacker can easily modify. The patch as attached will fix the present issue, though. Just my 0.02.
Comment 3•16 years ago
|
||
Comment on attachment 321667 [details] [diff] [review] is this filtering enough? Looks good to me. Please commit ASAP.
Attachment #321667 -
Flags: review?(laura) → review+
Comment 5•16 years ago
|
||
This was pushed in https://bugzilla.mozilla.org/show_bug.cgi?id=434670
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Group: webtools-security → websites-security
Updated•16 years ago
|
Group: websites-security
Updated•16 years ago
|
Group: websites-security
Comment 6•15 years ago
|
||
http://support.mozilla.com/tiki-error.php?error=<a+href="javascript:alert(document.cookie)">Click+Me</a> is verified FIXED; it just gives me "Error \n Click me".
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Whiteboard: sumo_only
Comment 7•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Comment 8•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•