Closed Bug 1252219 Opened 8 years ago Closed 8 years ago

Attachment bounty form is vulnerable to CSRF and persistent XSS

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: dylan)

References

Details

(Keywords: sec-critical, wsec-csrf, wsec-xss)

Attachments

(1 file)

1252219_1.patch
5.42 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
The creation of bounty attachments lacks CSRF protection. This means that somebody can lure people in the core-security group to a page containing the following code:

> <img src="https://bugzilla-dev.allizom.org/page.cgi?id=attachment_bounty_form.html&bug_id=1&reporter_email=trev.moz@adblockplus.org&amount_paid=&reported_date=&fixed_date=&awarded_date=&publish=1&credit_1=%22%3E%3Cscript%3ealert%28/xss/%29%3C/script%3E&submit=1">

Now I don't know whether manipulating these attachments can be used to get a bounty to be paid twice for the same issue (should I try? :). What they can definitely be used for however is persistent XSS - none of the fields on attachment_bounty_form.html are being escaped. So the link above will add XSS load to the page which will executes whenever somebody with sufficient privileges opens https://bugzilla-dev.allizom.org/page.cgi?id=attachment_bounty_form.html&bug_id=1.
Taking this as I wrote the code in question.
Assignee: nobody → dylan
(In reply to Wladimir Palant from comment #0)
> The creation of bounty attachments lacks CSRF protection. This means that
> somebody can lure people in the core-security group to a page containing the

it's not core-security, but the bounty-team. A small point, to be sure.
I'm also changing the logic of "is bounty attachment" to include "attacher is a member of the bounty team".
Non-bounty-team members couldn't be the attachers already (just requiring the CSRF) but I didn't like that oversight either.
Attached patch 1252219_1.patchSplinter Review 

        Attachment #8724934 -
        Flags: review?(dkl)
Flags: sec-bounty?

    
    

    
  
Comment on attachment 8724934 [details] [diff] [review]
1252219_1.patch

Review of attachment 8724934 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #8724934 -
        Flags: review?(dkl) → review+

    
    

    
  
(In reply to Dylan William Hardison [:dylan] from comment #2)
> it's not core-security, but the bounty-team.

Both actually - bounty-team to use the link, core-security (or whatever default security group is configured for the component) to actually add the attachment. Yes, it's a minor detail.

    
    

    
  
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   1d3186c..4d95649  master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

    
  
Group: bugzilla-security
Flags: sec-bounty? → sec-bounty+

    
  
See Also:  → 1455772
Component: Extensions: BMO → Extensions

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: