1221518 - (CVE-2015-8508) [SECURITY] XSS in dependency graphs when displaying the bug summary

Status: RESOLVED FIXED

(Bugzilla :: Dependency Views, defect)

Description

[Holger Fuhrmannek]

During the generation of a dependency graph also the code for the html image map is generated if a local dot installation is used.
With html escaped characters in a bug summary it is possible to inject custom lines in the *.map file with which the CreateImagemap function generates html code without filtering.

poc:
- configure bugzilla to use a local dot installation to generate a dependency graph
- create a bug with the following summary: &#10;default "><script>alert(1)</script> G
- visit /showdependencygraph.cgi?id=<BUG-ID>&showsummary=on&display=tree&rankdir=TB, a javascript alert prompt will show up

Comment 1

[Frédéric Buclin]

Confirmed! Thanks for catching that.

Comment 2

[Frédéric Buclin]

Attachment: patch for 5.0 and master, v1

The bug summary is escaped too late in the process, and DOT interprets &#10; as a newline character, which means that the bug summary is split into several lines in the .map file. The problem is that each line in a .map file is a new command and is executed by DOT. In this case, it was asked to print <script>...</script> into the HTML page, triggering XSS.

Comment 3

[Frédéric Buclin]

Comment on attachment 8683094 [details] [diff] [review]
patch for 5.0 and master, v1

Err... wrong patch.

Comment 4

[Frédéric Buclin]

Comment on attachment 8683094 [details] [diff] [review]
patch for 5.0 and master, v1

Ah no, that is the correct one. :) I have one with some other minor improvements, but it shouldn't be part of a security patch.

Comment 5

[Frédéric Buclin]

Affects Bugzilla 2.6 and above. Dependency graphs did not exist in 2.4.

Comment 6

[Gervase Markham [:gerv]]

Comment on attachment 8683094 [details] [diff] [review]
patch for 5.0 and master, v1

Review of attachment 8683094 [details] [diff] [review]:
-----------------------------------------------------------------

r=gerv. Sorry this took so long.

Gerv

Comment 7

[Frédéric Buclin]

Bugzilla 4.2 reaches EOL in 9 days. Do we want to release a final 4.2.16 with this fix?

Comment 8

[Gervase Markham [:gerv]]

Should we discuss that at the meeting? It makes sense to me to do a final EOL release. Are there any other bugs which we might want to include?

Gerv

Comment 9

[Frédéric Buclin]

(In reply to Gervase Markham [:gerv] from comment #8)
> Should we discuss that at the meeting? It makes sense to me to do a final
> EOL release. Are there any other bugs which we might want to include?

There have been no checkins on the 4.2 branch since 4.2.15. So there are no other pending checkins waiting to be released. I'm fine either way.

Comment 10

[Frédéric Buclin]

Attachment: patch for 4.4, v1

Backport for the 4.4 branch. It's the same code. Only a few context lines changed compared to master, which is why the patch for master didn't apply cleanly.

Comment 11

[Frédéric Buclin]

Attachment: patch for 4.2, v1

4.2 still uses Bugzilla->user instead of $user. No other changes.

Comment 12

[Daniel Veditz [:dveditz]]

Use CVE-2015-4503 for this bug.

Comment 13

[David Lawrence [:dkl]]

(In reply to Daniel Veditz [:dveditz] from comment #12)
> Use CVE-2015-4503 for this bug.

When I click on the CVE link, I get a CVE for a different un-related issue. Is this correct or do we need a different CVE? 

dkl

Comment 14

[Daniel Veditz [:dveditz]]

Bah! it's unlisted in our chart but was apparently assigned and then removed from bug 994337 (so my BMO search didn't show it used), but it's still in the published advisory. Do NOT use CVE-2015-4503 for this. I will find another.

Comment 15

[Daniel Veditz [:dveditz]]

Please use CVE-2015-8508

Comment 16

[chris hofmann]

to try to get a better handle on the bounty award amount can someone comment on how often this configuration set up might be expected or appears in installations as default?

is it used on b.m.o as in a dependency graph like

https://bugzilla.mozilla.org//showdependencygraph.cgi?id=1229721&showsummary=on&display=tree&rankdir=TB

so the only necessary step is to create a bug with the crafted summary and get it included in the dependency tree?

Comment 17

[David Lawrence [:dkl]]

Comment on attachment 8694665 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 8694665 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 18

[David Lawrence [:dkl]]

Comment on attachment 8694662 [details] [diff] [review]
patch for 4.4, v1

Review of attachment 8694662 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 19

[Frédéric Buclin]

(In reply to chris hofmann from comment #16)
> so the only necessary step is to create a bug with the crafted summary and
> get it included in the dependency tree?

Yes. The dependency tree feature is a builtin feature of Bugzilla. It's always enabled. And no need to be logged in to view such as tree.

Comment 20

[Adam Muntner [:adamm] (use NEEDINFO)]

I agree with the sec-critical ranking.

Comment 21

[Frédéric Buclin]

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   eb1357f..e69201a  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   396ae88..dc076ed  5.0 -> 5.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   fc5cdf3..5f7540c  4.4 -> 4.4

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   d87269e..49b2e90  4.2 -> 4.2