1252210 - AntiSpam configuration is vulnerable to CSRF and persistent XSS

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: Extensions, defect)

Description

[Wladimir Palant]

AntiSpam extension uses the EditTable extension for its configuration. The latter doesn't use any CSRF tokens however so that anybody can trick Bugzilla admins into changing configuration. The actual attack would most likely work by luring Bugzilla admins on a page containing the following code:

> <img src="https://bugzilla-dev.allizom.org/page.cgi?id=edit_table.html&table=antispam_domain_blocklist&table_data={%22data%22:[[%22-%22,%22%3C/script%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%22,%22%22]]}">

This particular link will add a new entry to the domain blocklist - invisibly, in the background. It could just as easily missed with block IP ranges or remove all table entries by sending a list like [[-1],[-2],[-3],...] to remove entries with ID 1, 2, 3 etc.

What's even worse, this page is vulnerable to XSS, something that the URL above illustrates. The table data will be inserted as JSON into a script without further validation, if it contains something like "</script></script>alert(/xss/)</script>" that code will execute for anybody who opens the page later - persistent XSS vulnerability.

Comment 1

[Dylan Hardison [:dylan] (he/him)]

Taking this since it is my watch day.

Comment 2

[Dylan Hardison [:dylan] (he/him)]

Attachment: 1252210_1.patch

No more inline json, and CSRF tokens.

Comment 3

[David Lawrence [:dkl]]

Comment on attachment 8724962 [details] [diff] [review]
1252210_1.patch

Review of attachment 8724962 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 4

[Dylan Hardison [:dylan] (he/him)]

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   e5b9aa6..085c24c  master -> master