Closed
Bug 790296
(CVE-2012-4189)
Opened 12 years ago
Closed 12 years ago
[SECURITY] Field values are not escaped correctly in tabular reports
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: mateusz.goik, Assigned: LpSolit)
References
()
Details
(Keywords: regression, sec-critical, wsec-xss)
Attachments
(1 file, 1 obsolete file)
|
1.66 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
PoC: http://localhost/cgi-bin/bug/editversions.cgi?action=add&product=TestProduct -> Version: "><script>alert(1);</script> Add new bug to "TestProduct" with version "><script>alert(1);</script> http://localhost/cgi-bin/bug/query.cgi?format=report-table -> Horizontal Axis: Version should be the results: Version: "><script>alert(1);</script> -> Generate Report http://localhost/cgi-bin/bug/report.cgi?x_axis_field=version&y_axis_field=&z_axis_field=&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&resolution=---&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=&bug_id_type=anyexact&version=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap Result: + oColumn.field + "&version="><script>alert(1);</script>'>" elLiner.innerHTML = "<a href='buglist.cgi?action=wrap&resolution=---&version="><script>alert(1);</script>'>" <a href="buglist.cgi?action=wrap&resolution=---&version="><script>alert(1);</script>">5</a> <a href="buglist.cgi?action=wrap&resolution=---&=%20&version="><script>alert(1);</script>">5</a>
|
||
Updated•12 years ago
|
OS: Linux → All
Hardware: x86 → All
|
Assignee | |
Comment 1•12 years ago
|
||
Confirmed. Bugzilla 4.0 and older are not affected as we use YUI for tabular reports since 4.2 only, see bug 142394. If JavaScript is disabled, the problem goes away, so I suspect < and > are not escaped properly somewhere in our JS code, which is surprising as < and > are supposed to be escaped by |FILTER js|, see bug 503980 and bug 670169.
Flags: blocking4.4+
Flags: blocking4.2.4+
Summary: Report table (version) - XSS → Field values are not escaped correctly in tabular reports
Target Milestone: --- → Bugzilla 4.2
|
|
Assignee | |
Comment 2•12 years ago
|
||
|
|
||
Comment 3•12 years ago
|
||
Comment on attachment 660184 [details] [diff] [review] patch, v1 Review of attachment 660184 [details] [diff] [review]: ----------------------------------------------------------------- Are you sure this fixes all four different spots? Seems like it would only fix 2-3 of the 4.
|
|
Assignee | |
Comment 4•12 years ago
|
||
(In reply to Reed Loden [:reed] from comment #3) > Are you sure this fixes all four different spots? Seems like it would only > fix 2-3 of the 4. This fixes all links when JS is disabled, prevent XSS with JS disabled/enabled and links with JS enabled are only broken when the values have semicolons in them. I will check what I can do for them later (not a regression due to my patch).
|
|
Assignee | |
Comment 5•12 years ago
|
||
Correctly escape column headers. I suspect that YUI reverts some escaping internally, because replacing oColumn.field by YAHOO.lang.escapeHTML(oColumn.field) has no effect. But that's another bug.
Attachment #660184 -
Attachment is obsolete: true
Attachment #660184 -
Flags: review?(dkl)
Attachment #660428 -
Flags: review?(dkl)
|
||
Comment 7•12 years ago
|
||
Frederic, can you give feedback on this as far as a security rating? Is this a simple XSS issue?
|
|
Assignee | |
Comment 8•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #7) > Frederic, can you give feedback on this as far as a security rating? Is this > a simple XSS issue? Unfortunately, it's very easy to trigger XSS, see the link in the URL field. There is no need for the value to exist in the DB.
Severity: normal → major
Depends on: 142394
Keywords: regression
Summary: Field values are not escaped correctly in tabular reports → [SECURITY] Field values are not escaped correctly in tabular reports
Version: 4.2.3 → 4.1.1
|
||
Updated•12 years ago
|
Keywords: sec-critical,
wsec-xss
|
||
Comment 9•12 years ago
|
||
Comment on attachment 660428 [details] [diff] [review] patch, v2 Review of attachment 660428 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #660428 -
Flags: review?(dkl) → review+
|
|
Assignee | |
Updated•12 years ago
|
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
|
|
Assignee | |
Updated•12 years ago
|
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
|
|
Assignee | |
Comment 11•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified report.cgi modified template/en/default/reports/report-table.html.tmpl Committed revision 8470. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/ modified report.cgi modified template/en/default/reports/report-table.html.tmpl Committed revision 8455. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified report.cgi modified template/en/default/reports/report-table.html.tmpl Committed revision 8169.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 12•12 years ago
|
||
Security advisory sent. Removing the security flag.
Group: bugzilla-security
|
||
Updated•11 years ago
|
Flags: sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•