Assignee: general → nobody
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → Extensions: ProductDashboard
Ever confirmed: true
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Very unfortunate. :( I think this is the fault of global/tabs.html.tmpl. I think that is only used by productdashboard and the search tabs. Search tabs do not allow user-generated content into the tabs array. I note that global/tabs.html.tmpl exists in the filterexceptions.pl -- which I think adds insult to injury. Working on a fix next.
Assignee: nobody → dylan
Summary: XSS in page.cgi (bug_status parameter) → XSS in Product Dashboard (bug_status parameter)
filterexceptions isn't the cause of this error. The value in question was already filtered -- for HTML content. We need to filter tabs.link for JS and then for HTML. Alternatively, we could remove the onclick handler, as it seems to be pretty useless.
Attachment #8721968 - Flags: review?(dkl)
Comment on attachment 8721968 [details] [diff] [review] 1250114_1.patch Review of attachment 8721968 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8721968 - Flags: review?(dkl) → review+
Component: Extensions: ProductDashboard → User Interface
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Summary: XSS in Product Dashboard (bug_status parameter) → XSS in global/tabs.html.tmpl (tab.link not filtered correctly)
Target Milestone: --- → Bugzilla 5.0
Version: Production → 4.2
This bug has been introduced by bug 321556 in 2.23.4.
Status: NEW → ASSIGNED
Depends on: 321556
Summary: XSS in global/tabs.html.tmpl (tab.link not filtered correctly) → [SECURITY] XSS in global/tabs.html.tmpl (tab.link not filtered correctly)
Target Milestone: Bugzilla 5.0 → Bugzilla 4.4
Version: 4.2 → 2.23.4
Yeah, filterexceptions can tell if values are filtered, but it can't tell if they are filtered the right way :-| Not sure if we'd be able to make it that smart. Gerv
We definitely can not -- but we can prevent this and future bugs by a having a good CSP policy.
Actually, this is not a security bug as in a vanilla Bugzilla installation we only have two places where we call global/tabs.html.tmpl, and none of them passes user-controlled data to tabs. So this is rather a security improvement. No need for a secadv, meaning that it can be checked in immediately (after appropriate a+, of course).
Summary: [SECURITY] XSS in global/tabs.html.tmpl (tab.link not filtered correctly) → XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled
To ssh://firstname.lastname@example.org/bugzilla/bugzilla.git ee24e1e..01ad7ac 4.4 -> 4.4 To ssh://email@example.com/bugzilla/bugzilla.git 6c705e8..a59f1e9 5.0 -> 5.0 To ssh://firstname.lastname@example.org/bugzilla/bugzilla.git a35c986..54f8e93 master -> master
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate, wsec-xss
You need to log in before you can comment on or make changes to this bug.