Closed
Bug 1221518
(CVE-2015-8508)
Opened 9 years ago
Closed 9 years ago
[SECURITY] XSS in dependency graphs when displaying the bug summary
Categories
(Bugzilla :: Dependency Views, defect)
Bugzilla
Dependency Views
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: hofusec, Assigned: LpSolit)
References
Details
(Keywords: sec-critical, wsec-xss)
Attachments
(3 files)
1.44 KB,
patch
|
gerv
:
review+
|
Details | Diff | Splinter Review |
1.39 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
1.41 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
During the generation of a dependency graph also the code for the html image map is generated if a local dot installation is used. With html escaped characters in a bug summary it is possible to inject custom lines in the *.map file with which the CreateImagemap function generates html code without filtering. poc: - configure bugzilla to use a local dot installation to generate a dependency graph - create a bug with the following summary: default "><script>alert(1)</script> G - visit /showdependencygraph.cgi?id=<BUG-ID>&showsummary=on&display=tree&rankdir=TB, a javascript alert prompt will show up
Assignee | ||
Comment 1•9 years ago
|
||
Confirmed! Thanks for catching that.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: XSS in showdependencygraph.cgi in image map of dependency graph → XSS in dependency graphs when displaying the bug summary
Target Milestone: --- → Bugzilla 4.2
Assignee | ||
Comment 2•9 years ago
|
||
The bug summary is escaped too late in the process, and DOT interprets as a newline character, which means that the bug summary is split into several lines in the .map file. The problem is that each line in a .map file is a new command and is executed by DOT. In this case, it was asked to print <script>...</script> into the HTML page, triggering XSS.
Assignee: dependency.views → LpSolit
Status: NEW → ASSIGNED
Attachment #8683094 -
Flags: review?(gerv)
Assignee | ||
Comment 3•9 years ago
|
||
Comment on attachment 8683094 [details] [diff] [review] patch for 5.0 and master, v1 Err... wrong patch.
Attachment #8683094 -
Attachment is obsolete: true
Attachment #8683094 -
Flags: review?(gerv)
Assignee | ||
Comment 4•9 years ago
|
||
Comment on attachment 8683094 [details] [diff] [review] patch for 5.0 and master, v1 Ah no, that is the correct one. :) I have one with some other minor improvements, but it shouldn't be part of a security patch.
Attachment #8683094 -
Attachment is obsolete: false
Attachment #8683094 -
Flags: review?(gerv)
Assignee | ||
Comment 5•9 years ago
|
||
Affects Bugzilla 2.6 and above. Dependency graphs did not exist in 2.4.
Comment 6•9 years ago
|
||
Comment on attachment 8683094 [details] [diff] [review] patch for 5.0 and master, v1 Review of attachment 8683094 [details] [diff] [review]: ----------------------------------------------------------------- r=gerv. Sorry this took so long. Gerv
Attachment #8683094 -
Flags: review?(gerv) → review+
Assignee | ||
Comment 7•9 years ago
|
||
Bugzilla 4.2 reaches EOL in 9 days. Do we want to release a final 4.2.16 with this fix?
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Flags: approval4.2?
Summary: XSS in dependency graphs when displaying the bug summary → [SECURITY] XSS in dependency graphs when displaying the bug summary
Comment 8•9 years ago
|
||
Should we discuss that at the meeting? It makes sense to me to do a final EOL release. Are there any other bugs which we might want to include? Gerv
Assignee | ||
Comment 9•9 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #8) > Should we discuss that at the meeting? It makes sense to me to do a final > EOL release. Are there any other bugs which we might want to include? There have been no checkins on the 4.2 branch since 4.2.15. So there are no other pending checkins waiting to be released. I'm fine either way.
Assignee | ||
Comment 10•9 years ago
|
||
Backport for the 4.4 branch. It's the same code. Only a few context lines changed compared to master, which is why the patch for master didn't apply cleanly.
Attachment #8694662 -
Flags: review?(gerv)
Assignee | ||
Comment 11•9 years ago
|
||
4.2 still uses Bugzilla->user instead of $user. No other changes.
Attachment #8694665 -
Flags: review?(gerv)
Updated•9 years ago
|
Flags: sec-bounty?
Keywords: sec-critical,
wsec-xss
Comment 13•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #12) > Use CVE-2015-4503 for this bug. When I click on the CVE link, I get a CVE for a different un-related issue. Is this correct or do we need a different CVE? dkl
Flags: needinfo?(dveditz)
Comment 14•9 years ago
|
||
Bah! it's unlisted in our chart but was apparently assigned and then removed from bug 994337 (so my BMO search didn't show it used), but it's still in the published advisory. Do NOT use CVE-2015-4503 for this. I will find another.
Alias: CVE-2015-4503
Flags: needinfo?(dveditz)
Comment 16•9 years ago
|
||
to try to get a better handle on the bounty award amount can someone comment on how often this configuration set up might be expected or appears in installations as default? is it used on b.m.o as in a dependency graph like https://bugzilla.mozilla.org//showdependencygraph.cgi?id=1229721&showsummary=on&display=tree&rankdir=TB so the only necessary step is to create a bug with the crafted summary and get it included in the dependency tree?
Comment 17•9 years ago
|
||
Comment on attachment 8694665 [details] [diff] [review] patch for 4.2, v1 Review of attachment 8694665 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8694665 -
Flags: review?(gerv) → review+
Comment 18•9 years ago
|
||
Comment on attachment 8694662 [details] [diff] [review] patch for 4.4, v1 Review of attachment 8694662 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8694662 -
Flags: review?(gerv) → review+
Updated•9 years ago
|
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
Assignee | ||
Comment 19•9 years ago
|
||
(In reply to chris hofmann from comment #16) > so the only necessary step is to create a bug with the crafted summary and > get it included in the dependency tree? Yes. The dependency tree feature is a builtin feature of Bugzilla. It's always enabled. And no need to be logged in to view such as tree.
Comment 20•9 years ago
|
||
I agree with the sec-critical ranking.
Assignee | ||
Comment 21•9 years ago
|
||
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git eb1357f..e69201a master -> master To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 396ae88..dc076ed 5.0 -> 5.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git fc5cdf3..5f7540c 4.4 -> 4.4 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git d87269e..49b2e90 4.2 -> 4.2
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: bugzilla-security
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
You need to log in
before you can comment on or make changes to this bug.
Description
•