Closed
Bug 1254542
Opened 8 years ago
Closed 8 years ago
Reflected XSS in comment-remo-form-payment.txt page
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: dylan)
Details
(Keywords: sec-high, wsec-xss)
Attachments
(1 file)
|
992 bytes,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
You can see this issue live under the following URL:
> https://bugzilla.mozilla.org/page.cgi?id=comment-remo-form-payment.txt&firstname=%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E
I have the impression that this template got placed in the wrong directory and isn't meant to be a page at all. Problem is, despite the .txt file extension it is served with Content-Type: text/html. And it inserts data from the query string without performing any escaping whatsoever...
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → dylan
|
|
Assignee | |
Comment 1•8 years ago
|
||
There is another *.txt.tmpl available over page.cgi: ./extensions/BMO/template/en/default/pages/group_membership.txt.tmpl
|
|
Assignee | |
Comment 2•8 years ago
|
||
can group names be malicious? or logins? maybe not, but https://bugzilla.mozilla.org/page.cgi?id=group_membership.txt&who=dylan%40mozilla.com&output=txt is still served with an html content type and performs no escaping too. We should fix both in this bug.
|
||
Comment 3•8 years ago
|
||
Aah, arse. I really thought I'd protected against this sort of thing, but seems like I didn't. :-( We need to stop support files like the txt.tmpl ones being called directly by page.cgi, because they aren't designed for that. But also, why on earth are they ending up with a html content-type - they clearly are .txt.tmpl, so I'd expect text/plain. Haven't researched this yet. Gerv
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Dylan William Hardison [:dylan] from comment #1) > There is another *.txt.tmpl available over page.cgi: > > ./extensions/BMO/template/en/default/pages/group_membership.txt.tmpl Yes, I looked at this one as well - also served up as text/html, doesn't seem to be exploitable however.
|
||
Updated•8 years ago
|
|
|
Assignee | |
Comment 5•8 years ago
|
||
note: this should be upstreamed as well.
Attachment #8728131 -
Flags: review?(dkl)
|
||
Comment 6•8 years ago
|
||
Comment on attachment 8728131 [details] [diff] [review] 1254542_1.patch Review of attachment 8728131 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8728131 -
Flags: review?(dkl) → review+
|
|
Assignee | |
Comment 7•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 6ec9ecf..0b7cd97 master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•5 years ago
|
Component: Extensions: REMO → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•