Closed Bug 1254675 Opened 9 years ago Closed 9 years ago

bug_modal template fails to escape format parameter

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: dkl)

Details

(Keywords: sec-low)

Attachments

(1 file)

1254675_1.patch
783 bytes, patch
dylan
: review+
Details | Diff | Splinter Review
The template extensions/BugModal/template/en/default/bug_modal/edit.html.tmpl contains the following line: > [%~ '&amp;format=' _ cgi.param("format") IF cgi.param("format") %]" Note the query parameter "format" being inserted unescaped. The assumption seems to be that this parameter is safe. That's not really the case however, consider the following URL: > https://bugzilla.mozilla.org/show_bug.cgi?id=490047&format=%22%3E%3Cmo%20dal=%22//1.2.3.4%22%3E If you look at the this-bug element in the source code, the format parameter not only escaped the attribute, it inserted a tag <mo dal="//1.2.3.4"> into the page. The only reason why this doesn't seem to be exploitable - you cannot add any more letters and building a malicious payload having only the letters "modal" at your disposal is hard.
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Attached patch 1254675_1.patchSplinter Review
Attachment #8728091 - Flags: review?(dylan)
Comment on attachment 8728091 [details] [diff] [review] 1254675_1.patch Review of attachment 8728091 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan
Attachment #8728091 - Flags: review?(dylan) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 0b7cd97..ad2b169 master -> master
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Pushed
Group: bugzilla-security
Keywords: sec-low
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: