XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled

RESOLVED FIXED in Bugzilla 4.4

Status

()

Bugzilla
User Interface
RESOLVED FIXED
a year ago
3 months ago

People

(Reporter: Andrew, Assigned: dylan)

Tracking

({sec-moderate, wsec-xss})

2.23.4
Bugzilla 4.4
sec-moderate, wsec-xss
Dependency tree / graph
Bug Flags:
approval +
approval5.0 +
approval4.4 +
sec-bounty +

Details

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Created attachment 8721954 [details]
2016-02-22-140649.png

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

Hi,
I would like to report Cross site scripting vulnerability.

Steps to reproduce : 
1. Navigate to: https://bugzilla.mozilla.org/page.cgi?id=productdashboard.html&product=Participation%20Infrastructure&tab=components&bug_status=%27-prompt(%27xss%27)-%27
2. Switch to any tab ("Recents", "Components/Versions", "Duplicates", etc)


Actual results:

Javascript get executed.


Expected results:

Javascript must not been executed :)

Comment 1

a year ago
Confirmed. BMO-specific.
Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → Extensions: ProductDashboard
Ever confirmed: true
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
(Assignee)

Comment 2

a year ago
Very unfortunate. :(

I think this is the fault of global/tabs.html.tmpl. 
I think that is only used by productdashboard and the search tabs. Search tabs do not allow user-generated content
into the tabs array.

I note that global/tabs.html.tmpl exists in the filterexceptions.pl -- which I think adds insult to injury.

Working on a fix next.
Assignee: nobody → dylan
(Assignee)

Updated

a year ago
Summary: XSS in page.cgi (bug_status parameter) → XSS in Product Dashboard (bug_status parameter)
(Assignee)

Comment 3

a year ago
Created attachment 8721968 [details] [diff] [review]
1250114_1.patch

filterexceptions isn't the cause of this error. The value in question was already filtered -- for HTML content.
We need to filter tabs.link for JS and then for HTML.

Alternatively, we could remove the onclick handler, as it seems to be pretty useless.
Attachment #8721968 - Flags: review?(dkl)
Comment on attachment 8721968 [details] [diff] [review]
1250114_1.patch

Review of attachment 8721968 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #8721968 - Flags: review?(dkl) → review+
(Assignee)

Updated

a year ago
Component: Extensions: ProductDashboard → User Interface
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Summary: XSS in Product Dashboard (bug_status parameter) → XSS in global/tabs.html.tmpl (tab.link not filtered correctly)
Target Milestone: --- → Bugzilla 5.0
Version: Production → 4.2
Flags: sec-bounty?
(Assignee)

Updated

a year ago
Blocks: 1250129

Comment 5

a year ago
This bug has been introduced by bug 321556 in 2.23.4.
Status: NEW → ASSIGNED
Depends on: 321556
Flags: blocking5.0.3?
Flags: blocking4.4.12?
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Summary: XSS in global/tabs.html.tmpl (tab.link not filtered correctly) → [SECURITY] XSS in global/tabs.html.tmpl (tab.link not filtered correctly)
Target Milestone: Bugzilla 5.0 → Bugzilla 4.4
Version: 4.2 → 2.23.4
Yeah, filterexceptions can tell if values are filtered, but it can't tell if they are filtered the right way :-| Not sure if we'd be able to make it that smart.

Gerv
(Assignee)

Comment 7

a year ago
We definitely can not -- but we can prevent this and future bugs by a having a good CSP policy.

Comment 8

a year ago
Actually, this is not a security bug as in a vanilla Bugzilla installation we only have two places where we call global/tabs.html.tmpl, and none of them passes user-controlled data to tabs. So this is rather a security improvement. No need for a secadv, meaning that it can be checked in immediately (after appropriate a+, of course).
Flags: blocking5.0.3?
Flags: blocking4.4.12?
Summary: [SECURITY] XSS in global/tabs.html.tmpl (tab.link not filtered correctly) → XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+

Updated

a year ago
Blocks: 1258124
(Assignee)

Comment 9

a year ago
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   ee24e1e..01ad7ac  4.4 -> 4.4
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   6c705e8..a59f1e9  5.0 -> 5.0
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   a35c986..54f8e93  master -> master
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate, wsec-xss

Updated

a year ago
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.