Closed Bug 468626 (WH-1704994) Opened 16 years ago Closed 15 years ago

XSS vulns on tiki-poll_results.php

Categories

(support.mozilla.org :: Knowledge Base Software, task)

Product:
support.mozilla.org
Component:
Knowledge Base Software
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: reed, Assigned: ecooper)

References

(
URL
)

Details

(Keywords: wsec-xss, Whiteboard: tiki_test)

Attachments

(3 files)

Escapes various params passed to tiki-poll_results.php
2.61 KB, patch
laura
: review+
Details | Diff | Splinter Review
Escapes pollId
480 bytes, patch
Details | Diff | Splinter Review
Screenshot
373.32 KB, image/png
Details 
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-15&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-10-07&vote_to_date=2008-12-06&maxRecords=30

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-15&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-10-07&vote_to_date=2008-12-06&maxRecords=30

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=0&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-09-15&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-09-15&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=0&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30

https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-12-06&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-12-06&maxRecords=30

https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-10-07&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-10-07&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
Target Milestone: --- → 0.8.1
Assignee: nobody → smirkingsisyphus
Attachment #356879 - Flags: review?(laura) → review+
In trunk r21585, prod r21586.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified FIXED on staging.
Status: RESOLVED → VERIFIED
So close!

One more to go:

http://support.mozilla.com/tiki-poll_results.php?pollId=%22whscheck=%22whscheck()
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Target Milestone: 0.8.1 → 0.8.2
Attached patch Escapes pollIdSplinter Review 
Jeez. 

I wonder if it'd be better to just add some code to Smarty::assign (probably in webroot/setup_smarty.php) to escape outputs unless specified otherwise. At least then all the sanitizing would take place at the same layer and save us a bunch of XSS headaches.

Then again, at this point, we'd need to refactor a lot of smarty code to prevent double-escapes.
Greenfields, this would be the right way to do it.  However, some issues:
1. We have no tests to spot regressions.
2. I'm fairly sure that this would cost a lot of time and effort in testing, QA, and just recoding.  Would most likely need doing in a new branch.
3. The reason Smarty supports different types of escaping is that output needs to be escaped differently depending on where it's going.  This will mean in places we'll end up unescaping and re-escaping appropriately.  It's a similar problem to turning on magic quotes.

So, given that I think we've closed off the WH vectors (bar one), the right way to proceed is:
- Start writing tests (needs doing anyway)
- Sometime, when we have time - which won't be this quarter, we are already behind - make a branch and experiment with making a global change to see how much stuff breaks.
In r21982 / r21984
Status: REOPENED → RESOLVED
Closed: 16 years ago15 years ago
Resolution: --- → FIXED
Attached image Screenshot 
Is this fixed, per the screenshot?
Can't tell from screenshot but view source says yes (please confirm).
(In reply to comment #9)
> Can't tell from screenshot but view source says yes (please confirm).

Sorry, yeah; now I remember:

staging: <input type="hidden" name="pollId" value="&quot;whscheck=&quot;whscheck()"/>

prod: <input type="hidden" name="pollId" value=""whscheck="whscheck()"/>

Verified FIXED.
Status: RESOLVED → VERIFIED
Whiteboard: tiki_triage
Whiteboard: tiki_triage → tiki_test
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: