Bug 1221518 (CVE-2015-8508)

[SECURITY] XSS in dependency graphs when displaying the bug summary

RESOLVED FIXED in Bugzilla 4.2

Status

()

defect
--
major
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: hofusec, Assigned: LpSolit)

Tracking

({sec-critical, wsec-xss})

unspecified
Bugzilla 4.2
Dependency tree / graph
Bug Flags:
approval +
approval5.0 +
approval4.4 +
approval4.2 +
sec-bounty +

Details

Attachments

(3 attachments)

Reporter

Description

4 years ago
During the generation of a dependency graph also the code for the html image map is generated if a local dot installation is used.
With html escaped characters in a bug summary it is possible to inject custom lines in the *.map file with which the CreateImagemap function generates html code without filtering.

poc:
- configure bugzilla to use a local dot installation to generate a dependency graph
- create a bug with the following summary: &#10;default "><script>alert(1)</script> G
- visit /showdependencygraph.cgi?id=<BUG-ID>&showsummary=on&display=tree&rankdir=TB, a javascript alert prompt will show up
Assignee

Comment 1

4 years ago
Confirmed! Thanks for catching that.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: XSS in showdependencygraph.cgi in image map of dependency graph → XSS in dependency graphs when displaying the bug summary
Target Milestone: --- → Bugzilla 4.2
Assignee

Comment 2

4 years ago
The bug summary is escaped too late in the process, and DOT interprets &#10; as a newline character, which means that the bug summary is split into several lines in the .map file. The problem is that each line in a .map file is a new command and is executed by DOT. In this case, it was asked to print <script>...</script> into the HTML page, triggering XSS.
Assignee: dependency.views → LpSolit
Status: NEW → ASSIGNED
Attachment #8683094 - Flags: review?(gerv)
Assignee

Comment 3

4 years ago
Comment on attachment 8683094 [details] [diff] [review]
patch for 5.0 and master, v1

Err... wrong patch.
Attachment #8683094 - Attachment is obsolete: true
Attachment #8683094 - Flags: review?(gerv)
Assignee

Comment 4

4 years ago
Comment on attachment 8683094 [details] [diff] [review]
patch for 5.0 and master, v1

Ah no, that is the correct one. :) I have one with some other minor improvements, but it shouldn't be part of a security patch.
Attachment #8683094 - Attachment is obsolete: false
Attachment #8683094 - Flags: review?(gerv)
Assignee

Comment 5

4 years ago
Affects Bugzilla 2.6 and above. Dependency graphs did not exist in 2.4.
Comment on attachment 8683094 [details] [diff] [review]
patch for 5.0 and master, v1

Review of attachment 8683094 [details] [diff] [review]:
-----------------------------------------------------------------

r=gerv. Sorry this took so long.

Gerv
Attachment #8683094 - Flags: review?(gerv) → review+
Assignee

Comment 7

4 years ago
Bugzilla 4.2 reaches EOL in 9 days. Do we want to release a final 4.2.16 with this fix?
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Flags: approval4.2?
Summary: XSS in dependency graphs when displaying the bug summary → [SECURITY] XSS in dependency graphs when displaying the bug summary
Should we discuss that at the meeting? It makes sense to me to do a final EOL release. Are there any other bugs which we might want to include?

Gerv
Assignee

Comment 9

4 years ago
(In reply to Gervase Markham [:gerv] from comment #8)
> Should we discuss that at the meeting? It makes sense to me to do a final
> EOL release. Are there any other bugs which we might want to include?

There have been no checkins on the 4.2 branch since 4.2.15. So there are no other pending checkins waiting to be released. I'm fine either way.
Assignee

Comment 10

4 years ago
Backport for the 4.4 branch. It's the same code. Only a few context lines changed compared to master, which is why the patch for master didn't apply cleanly.
Attachment #8694662 - Flags: review?(gerv)
Assignee

Comment 11

4 years ago
4.2 still uses Bugzilla->user instead of $user. No other changes.
Attachment #8694665 - Flags: review?(gerv)
Assignee

Updated

4 years ago
Blocks: 1229728
Flags: sec-bounty?
Use CVE-2015-4503 for this bug.
Alias: CVE-2015-4503
Blocks: 1229894
(In reply to Daniel Veditz [:dveditz] from comment #12)
> Use CVE-2015-4503 for this bug.

When I click on the CVE link, I get a CVE for a different un-related issue. Is this correct or do we need a different CVE? 

dkl
Flags: needinfo?(dveditz)
Bah! it's unlisted in our chart but was apparently assigned and then removed from bug 994337 (so my BMO search didn't show it used), but it's still in the published advisory. Do NOT use CVE-2015-4503 for this. I will find another.
Alias: CVE-2015-4503
Flags: needinfo?(dveditz)
Please use CVE-2015-8508
Alias: CVE-2015-8508

Comment 16

4 years ago
to try to get a better handle on the bounty award amount can someone comment on how often this configuration set up might be expected or appears in installations as default?

is it used on b.m.o as in a dependency graph like

https://bugzilla.mozilla.org//showdependencygraph.cgi?id=1229721&showsummary=on&display=tree&rankdir=TB

so the only necessary step is to create a bug with the crafted summary and get it included in the dependency tree?
Comment on attachment 8694665 [details] [diff] [review]
patch for 4.2, v1

Review of attachment 8694665 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8694665 - Flags: review?(gerv) → review+
Comment on attachment 8694662 [details] [diff] [review]
patch for 4.4, v1

Review of attachment 8694662 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8694662 - Flags: review?(gerv) → review+
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
Assignee

Comment 19

4 years ago
(In reply to chris hofmann from comment #16)
> so the only necessary step is to create a bug with the crafted summary and
> get it included in the dependency tree?

Yes. The dependency tree feature is a builtin feature of Bugzilla. It's always enabled. And no need to be logged in to view such as tree.
I agree with the sec-critical ranking.
Assignee

Comment 21

4 years ago
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   eb1357f..e69201a  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   396ae88..dc076ed  5.0 -> 5.0

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   fc5cdf3..5f7540c  4.4 -> 4.4

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   d87269e..49b2e90  4.2 -> 4.2
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Group: bugzilla-security
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.