Closed
Bug 1252219
Opened 8 years ago
Closed 8 years ago
Attachment bounty form is vulnerable to CSRF and persistent XSS
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: dylan)
References
Details
(Keywords: sec-critical, wsec-csrf, wsec-xss)
Attachments
(1 file)
5.42 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
The creation of bounty attachments lacks CSRF protection. This means that somebody can lure people in the core-security group to a page containing the following code: > <img src="https://bugzilla-dev.allizom.org/page.cgi?id=attachment_bounty_form.html&bug_id=1&reporter_email=trev.moz@adblockplus.org&amount_paid=&reported_date=&fixed_date=&awarded_date=&publish=1&credit_1=%22%3E%3Cscript%3ealert%28/xss/%29%3C/script%3E&submit=1"> Now I don't know whether manipulating these attachments can be used to get a bounty to be paid twice for the same issue (should I try? :). What they can definitely be used for however is persistent XSS - none of the fields on attachment_bounty_form.html are being escaped. So the link above will add XSS load to the page which will executes whenever somebody with sufficient privileges opens https://bugzilla-dev.allizom.org/page.cgi?id=attachment_bounty_form.html&bug_id=1.
Assignee | ||
Comment 1•8 years ago
|
||
Taking this as I wrote the code in question.
Assignee: nobody → dylan
Assignee | ||
Comment 2•8 years ago
|
||
(In reply to Wladimir Palant from comment #0) > The creation of bounty attachments lacks CSRF protection. This means that > somebody can lure people in the core-security group to a page containing the it's not core-security, but the bounty-team. A small point, to be sure. I'm also changing the logic of "is bounty attachment" to include "attacher is a member of the bounty team". Non-bounty-team members couldn't be the attachers already (just requiring the CSRF) but I didn't like that oversight either.
Assignee | ||
Comment 3•8 years ago
|
||
Attachment #8724934 -
Flags: review?(dkl)
Updated•8 years ago
|
Updated•8 years ago
|
Flags: sec-bounty?
Comment 4•8 years ago
|
||
Comment on attachment 8724934 [details] [diff] [review] 1252219_1.patch Review of attachment 8724934 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8724934 -
Flags: review?(dkl) → review+
Reporter | ||
Comment 5•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #2) > it's not core-security, but the bounty-team. Both actually - bounty-team to use the link, core-security (or whatever default security group is configured for the component) to actually add the attachment. Yes, it's a minor detail.
Assignee | ||
Comment 6•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 1d3186c..4d95649 master -> master
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•8 years ago
|
Group: bugzilla-security
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•5 years ago
|
Component: Extensions: BMO → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•