All users were logged out of Bugzilla on October 13th, 2018

Status

RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: freddyb, Unassigned)

Tracking

({sec-high, wsec-xss})

Details

(Reporter)

Description

4 years ago
STR:
1: Visit https://sso.mozilla.com/signout.html?app=%3Cs%3E%3Cimg%20src=x%20onerror=alert%281%29%3Emeh
2: XSS

Affected code:
>  var query_str = decodeURIComponent(getQuerystring('app'));
> …
>  response += " of "+query_str+".</h2><br /><br />"+okta_msg;
> …
>  document.write(response);


Suggested patch:
Add a line that removes everything from query_str that is not alphanumeric, i.e.,
> query_str.replace(/[^A-Za-z0-9]/gmi, "")
(Reporter)

Updated

4 years ago
Keywords: sec-high, wsec-xss
I don't think I wrote sso.mozilla.com, :jabba any thoughts?

Comment 2

4 years ago
The code is at https://github.com/mozilla/sso-mozilla-com . Webops team (cturra) wrote it. Not sure who has access to update it now that cturra is gone.
Rob,

Not sure there's a dev/stage site, is this safe enough to deploy directly into prod? 

https://github.com/mozilla/sso-mozilla-com/pull/1/files

Updated

4 years ago
Depends on: 1158382

Comment 5

4 years ago
Should be safe to deploy. The main purpose of the site is simply to display a logout page to various SAML-enabled applications. Most of the sites other functionality is just a bunch of redirects in apache, independent of the code.
(In reply to Justin Dow [:jabba] from comment #5)
> Should be safe to deploy. The main purpose of the site is simply to display
> a logout page to various SAML-enabled applications. Most of the sites other
> functionality is just a bunch of redirects in apache, independent of the
> code.

Ok, I'll do this tomorrow morning then.
Fix has been deployed, can someone please test and close it out? Thanks!
(Reporter)

Comment 8

4 years ago
I looked at https://sso.mozilla.com/signout.html?app=%27goodfs%22%3E%3C which indeed strips out undesired characters.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Updated

2 years ago
Assignee: nobody → infra
Group: webtools-security
status-firefox40: affected → ---
Component: SSO → Infrastructure: SSO
Product: Webtools → Infrastructure & Operations
Version: Trunk → unspecified
You need to log in before you can comment on or make changes to this bug.