Closed Bug 434550 Opened 16 years ago Closed 16 years ago

XSS vulnerability in SUMO error page

Categories

(support.mozilla.org :: General, defect, P1)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: bsterne, Assigned: nkoth)

References

(
URL
)

Details

(Keywords: wsec-xss, Whiteboard: sumo_only)

Attachments

(1 file)

is this filtering enough?
1.01 KB, patch
laura
: review+
Details | Diff | Splinter Review 
One of the tiki error pages uses the the URL parameter "error" as its display message.  This can be used for XSS or simply website defacement.  Here is an example attack URL:

http://support.mozilla.com/tiki-error.php?error=<a+href="javascript:alert(document.cookie)">Click+Me</a>
Group: webtools-security
Assignee: nobody → nelson
Severity: major → blocker
Priority: -- → P1
Target Milestone: --- → 0.6

        Attachment #321667 -
        Flags: review?(laura)

    
  
Status: NEW → ASSIGNED

    
    

    
  
A couple of comments on the attached patch:

1) you probably don't need to re-assign $_REQUEST["error"] as its escaped self since you are later displaying it using the same escaping functions.

2) a better approach for this type of page would be to have a set of pre-determined error messages that can be chosen from by specifying an error ID in the URL.  This is better than echoing a string that an attacker can easily modify.

The patch as attached will fix the present issue, though.  Just my 0.02.

    
    

    
  
Comment on attachment 321667 [details] [diff] [review]
is this filtering enough?

Looks good to me.  Please commit ASAP.

        Attachment #321667 -
        Flags: review?(laura) → review+

    
    

    
  
in r13337

    
    

    
  
This was pushed in https://bugzilla.mozilla.org/show_bug.cgi?id=434670
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
  
Group: webtools-security → websites-security

    
  
Group: websites-security

    
  
Group: websites-security

    
    

    
  
http://support.mozilla.com/tiki-error.php?error=<a+href="javascript:alert(document.cookie)">Click+Me</a> is verified FIXED; it just gives me "Error \n Click me".
URL: http://support.mozilla.com/tiki-error...
Status: RESOLVED → VERIFIED
Whiteboard: sumo_only

    
    

    
  
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss

    
    

    
  
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: