Closed
Bug 1252445
Opened 8 years ago
Closed 8 years ago
Tracking flags configuration is vulnerable to CSRF and causes persistent XSS
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: dkl)
References
Details
(Keywords: sec-high, wsec-csrf, wsec-xss)
Attachments
(1 file, 1 obsolete file)
6.04 KB,
patch
|
dylan
:
review+
|
Details | Diff | Splinter Review |
Tracking flags configuration has no CSRF protection currently meaning that anybody who successfully lures a Bugzilla admin to a malicious page can add or change tracking flags. For example, a malicious page could contain the following code: > <img src="https://bugzilla-dev.allizom.org/page.cgi?id=tracking_flags_admin_edit.html&mode=new&values=[{%22comment%22%3A%22%22%2C%22is_active%22%3Atrue%2C%22setter_group_id%22%3A%221%22%2C%22value%22%3A%22---%22%2C%22id%22%3A0}]&visibility=[{%22component%22%3A%22%22%2C%22product%22%3A%22Firefox%22%2C%22id%22%3A0}]&save=1&flag_name=cf_foobar%3C/script%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E&flag_desc=foobar&flag_type=project&flag_sort=0&flag_enter_bug=1&flag_active=1"> Not only will this create a new tracking flag, anybody visiting a Firefox bug after that will see a message saying "xss" - the tracking flags data is being inserted into a script as JSON, without further validation. So one can add XSS payload to the flag ID and turn this into persistent XSS (there is client-side validation for flag ID but almost nothing on the server side). Interesting fact: setting flag ID to something like "cf_foo::bar" will cause an error message whenever a bug is saved because the following line will try calling method bar via package cf_foo: > my $new_value = $bug->$flag_name; (extensions/TrackingFlags/Extension.pm line 650) From what I can tell, this is not exploitable because there are no packages with names starting with cf_.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8725270 -
Flags: review?(dylan)
Reporter | ||
Comment 2•8 years ago
|
||
Comment on attachment 8725270 [details] [diff] [review] 1252445_1.patch Is that the right variables you escaped? The problematic line here was |TrackingFlags = {...}|.
Reporter | ||
Comment 3•8 years ago
|
||
Comment on attachment 8725270 [details] [diff] [review] 1252445_1.patch Yes, the XSS that I observed was in extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl: > TrackingFlags = [% tracking_flags_json FILTER none %]; It was popping up in each bug rather than the flags edit page.
Assignee | ||
Comment 4•8 years ago
|
||
(In reply to Wladimir Palant from comment #3) > Comment on attachment 8725270 [details] [diff] [review] > 1252445_1.patch > > Yes, the XSS that I observed was in > extensions/TrackingFlags/template/en/default/hook/bug/edit- > after_custom_fields.html.tmpl: > > > TrackingFlags = [% tracking_flags_json FILTER none %]; > > It was popping up in each bug rather than the flags edit page. Ah thanks for the heads up. Will submit new patch with the added fix. dkl
Updated•8 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 5•8 years ago
|
||
Attachment #8725270 -
Attachment is obsolete: true
Attachment #8725270 -
Flags: review?(dylan)
Attachment #8725376 -
Flags: review?(dylan)
Reporter | ||
Comment 6•8 years ago
|
||
extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl looks like it would also be vulnerable in this context (particularly assigning to fields_data variable). However, it requires some rather complicated setup so I cannot verify.
Comment 7•8 years ago
|
||
(In reply to Wladimir Palant from comment #6) > extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl > looks like it would also be vulnerable in this context (particularly > assigning to fields_data variable). However, it requires some rather > complicated setup so I cannot verify. There is already a bug filed for that, in fact. It'll be in the next release.
See Also: → 1252554
Comment 8•8 years ago
|
||
Comment on attachment 8725376 [details] [diff] [review] 1252445_2.patch Review of attachment 8725376 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan
Attachment #8725376 -
Flags: review?(dylan) → review+
Assignee | ||
Comment 9•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 0a9f058..02aa6ce master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Updated•5 years ago
|
Component: Extensions: TrackingFlags → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•