Closed Bug 1439260 (CVE-2023-5206) Opened 7 years ago Closed 11 months ago

Debug param can force html content type on non-html responses, resulting in XSS

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: hofusec, Assigned: justdave)

References

Details

(Keywords: reporter-external, sec-high, wsec-xss, Whiteboard: [disclose when 1439786 AND upstream is fixed][reporter-external] [web-bounty-form] [verif?])

Attachments

(7 files, 8 obsolete files)

Screen Shot 2018-02-20 at 1.10.42 PM.png
179.51 KB, image/png
Details
Screenshot 2022-01-21 at 12.48.25.png
479.63 KB, image/png
Details
patch for harmony
2.28 KB, patch
Details | Diff | Splinter Review
patch for BMO
2.27 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 5.2 branch and master
2.50 KB, patch
Details | Diff | Splinter Review
patch for 4.4 branch
5.12 KB, patch
Details | Diff | Splinter Review
patch for 5.0.4 branch
5.17 KB, patch
Details | Diff | Splinter Review
Steps to reproduce: 1.) create a bug report with the title "399877536 <script>alert(123);</script>" (without quotes) 2.) visit /report.cgi?debug=1&short_desc=399877536&short_desc_type=allwordssubstr&y_axis_field=short_desc&ctype=csv&action=plot An alert prompt will appear.
Flags: sec-bounty?
Group: websites-security → bugzilla-security
Component: Other → Reporting/Charting
Product: Websites → Bugzilla
Holger: I cannot replicate this issue. I attempted to replicate this with bug 1439604, which I have CC'd you on. Could you please provide a valid URL which POC's my example bug?
Flags: needinfo?(hofusec)
QA Contact: default-qa
It will only happen for those in the debug group. I'll remove this feature though.
The fix for Bug 1433400 is the problem, we need a referer from the bugzilla host. New steps to reproduce: 1.) create a bug report with the title "399877536 <script>alert(123);</script>" (without quotes) 2.) post a comment with a link to <Bugzilla-Host>/report.cgi?debug=1&short_desc=399877536&short_desc_type=allwordssubstr&y_axis_field=short_desc&ctype=csv&action=plot 3.) click on the link or simply click on the link in your comment ;)
Flags: needinfo?(hofusec)
(In reply to Dylan Hardison [:dylan] (he/him) from comment #3) > It will only happen for those in the debug group. I'll remove this feature > though. no, i see the alert if i click on the link in comment #2.
Holger: I can confirm the issue now, I didn't realize referer was required. The XSS is also in the bugzilla.mozilla.org context, I adjusted the subject to reflect document.domain.
Of course. So there is a debug param that turns on some debugging, and another gem: # If we get a template or CGI error, it comes out as HTML, which isn't valid # PNG data, and the browser just displays a "corrupt PNG" message. So, you can # set debug=1 to always get an HTML content-type, and view the error. $format->{'ctype'} = "text/html" if $cgi->param('debug');
Status: UNCONFIRMED → NEW
Ever confirmed: true
Adding jfearn. At least this bug is easy to fix. Holger, nice catch.
It looks like this was introduced in bug 413851 actually.
Attached patch bug-1439260_1-bugzilla-4.4.patch (obsolete) — Splinter Review
Assignee: nobody → dylan
Status: NEW → ASSIGNED
Attachment #8952415 - Flags: review?(jfearn)
Attached patch bug-1439260_1-bugzilla-5.0.patch (obsolete) — Splinter Review
Attachment #8952416 - Flags: review?(jfearn)
Attached patch bug-1439260_1.patch (obsolete) — Splinter Review
Attachment #8952419 - Flags: review?(dkl)
Also, just as an added idea/improvement here, if I'm understanding this correct, the Content Security Policy in BMO should have stopped this vector... The current content security policy for BMO is: Content-security-policy: default-src 'self'; child-src 'self'; img-src 'self' https://secure.gravatar.com https://www.google-analytics.com; object-src 'none'; script-src 'self' https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; form-action 'self' https://www.google.com/search https://github.com/login/oauth/authorize https://github.com/login However, it seems the response headers on this particular request did not contain the CSP headers, so maybe there is some short-circuiting happening here we should investigate to make sure the CSP policy is being applied completely for all responses?
Note that BMO's CSP rollout is per-endpoint, and report.cgi does not yet have those headers. I'm also investigating how much work it would be for that page. As a means of fixing this in BMO *before* it gets fixed upstream, I may decide to turn on CSP for several end points even if it will break some functionality.
Summary: Bugzilla report.cgi - csv output and debug flag can trigger XSS → Debug param can force html content type on non-html responses, resulting in XSS
Though the chart.cgi variation of this is *worse* because it outputs both sets of headers. Why is that worse? Because even if CSP was turned on, it may be possible to capture the nonce.
request.cgi *seems* to actually not do anything insane with a debug param, so we have that going for us.
Comment on attachment 8952419 [details] [diff] [review] bug-1439260_1.patch Review of attachment 8952419 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8952419 - Flags: review?(dkl) → review+
Note we're *really* fixing this for BMO in bug 1439797, via subterfuge. This bug needs to stay private until we do an upstream release.
The threat posed by this and bug 1439786 should be neutralized on BMO now.
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → Embargo until BMO bug 1439797 is shipped[reporter-external] [web-bounty-form] [verif?]
Comment on attachment 8952415 [details] [diff] [review] bug-1439260_1-bugzilla-4.4.patch Review of attachment 8952415 [details] [diff] [review]: ----------------------------------------------------------------- works for me
Attachment #8952415 - Flags: review?(jfearn) → review+
Comment on attachment 8952416 [details] [diff] [review] bug-1439260_1-bugzilla-5.0.patch Review of attachment 8952416 [details] [diff] [review]: ----------------------------------------------------------------- works for me
Attachment #8952416 - Flags: review?(jfearn) → review+
Attachment #8952417 - Flags: review?(jfearn) → review+
Flags: sec-bounty? → sec-bounty+
Assignee: dylan → nobody
Status: ASSIGNED → NEW

I assume this was merged? Can we close this bug out?

(In reply to April King [:April] from comment #26)

I assume this was merged? Can we close this bug out?

This has not been merged upstream for whatever reasons so cannot be closed yet.

Are you able to check in on it? It's been almost two years now. :)

the issue doesn't seem to be fixed, the payload is not executed because it's blocked by CSP

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: Embargo until BMO bug 1439797 is shipped[reporter-external] [web-bounty-form] [verif?] → [disclosure when 1439786 is fixed] Embargo until BMO bug 1439797 is shipped[reporter-external] [web-bounty-form] [verif?]

(In reply to David Lawrence [:dkl] from comment #27)

This has not been merged upstream for whatever reasons so cannot be closed yet.

Has this been merged upstream by now? Is there a bug or GH reference for that?

Depends on: 1439797
Flags: needinfo?(dkl)
Whiteboard: [disclosure when 1439786 is fixed] Embargo until BMO bug 1439797 is shipped[reporter-external] [web-bounty-form] [verif?] → [disclose when 1439786 AND upstream is fixed][reporter-external] [web-bounty-form] [verif?]

Just verified this has NOT been committed upstream yet. This will be included in the upcoming releases.

Blocks: bugzilla-security-4.4.14, bugzilla-security-5.0.4.1, bugzilla-security-5.2
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

I was thinking the fix for this would already included in Harmony by virtue of it having merged BMO after this was committed to BMO. However, upon investigating (good thing I looked), it has not been applied to Harmony, and it ALSO hasn't been applied to BMO. Per Comment 22, BMO "fixed" this by setting up the CSP to block the symptoms rather than fixing the root of the problem.

Per comment 19, chart.cgi has the same problem, and is not included in this set of patches, nor are there any patches on the dependent bug to cover chart.cgi.

I'll have revised patches shortly.

Flags: needinfo?(dkl)
Attached file patch for harmony (obsolete) —

The existing patch for harmony no longer applies to either harmony or BMO. The fixed patch for harmony also does not apply against BMO (the chart half applies, the reports.cgi part doesn't - and it looks like it's because of context)

This patch is for Harmony only.

Assignee: nobody → justdave
Attachment #8952419 - Attachment is obsolete: true
Status: REOPENED → ASSIGNED

I guess I should actually attach the patch here, nobody will be able to see that PR since it's on a private repo. I actually tried to do that first but Bugzilla wouldn't let me pick Dylan for a reviewer.

Attachment #9350582 - Attachment is obsolete: true
Attached patch patch for BMOSplinter Review
Attachment #9350584 - Flags: review?(dkl)
Attached patch patch for 4.4 branch (obsolete) — Splinter Review

Patch for 4.4 applies intact, but of course was missing the chart.cgi part. This one has both.

Attachment #8952415 - Attachment is obsolete: true
Attached patch patch for 5.0.4 branch (obsolete) — Splinter Review

5.0 patch applies cleanly, but didn't have chart.cgi portion. This one includes both.

Attachment #8952416 - Attachment is obsolete: true

Comment on attachment 9350590 [details] [diff] [review]
patch for 5.2 branch and master

Turns out the 5.2 patch applies cleanly on master. :-)

Attachment #9350590 - Attachment description: patch for 5.2 branch → patch for 5.2 branch and master
Attachment #8952417 - Attachment is obsolete: true

Vulnerability Description:

Leftover debugging code allowed XSS injection within the bug title when viewing charts and reports if a specific URL param was passed to enable the debugging code.

Vulnerable versions:

Bug was introduced in version 2.18
From 2.18 prior to 4.4.14 -> upgrade to 4.4.14
5.0.x versions prior to 5.0.4.1 -> upgrade to 5.0.4.1
5.0.5 and 5.0.6 -> upgrade to 5.2
Developer snapshots in 5.1.x prior to 5.1.3 -> upgrade to 5.1.3

dveditz, can we get a CVE for this?

Flags: needinfo?(dveditz)
Comment on attachment 9350584 [details] [diff] [review] patch for BMO Review of attachment 9350584 [details] [diff] [review]: ----------------------------------------------------------------- lgtm
Attachment #9350584 - Flags: review?(dkl) → review+
Comment on attachment 9350585 [details] [diff] [review] patch for 4.4 branch >diff --git a/chart.cgi b/chart.cgi >- # Debugging PNGs is a pain; we need to be able to see the error messages >- if ($cgi->param('debug')) { >- print $cgi->header(); >- $vars->{'chart'}->dump(); >- } Could you give us a PoC explaining how to abuse chart.cgi? Else why removing this code? >diff --git a/report.cgi b/report.cgi >-if ($cgi->param('debug') >- && Bugzilla->params->{debug_group} >- && Bugzilla->user->in_group(Bugzilla->params->{debug_group}) >-) { >- $vars->{'debug'} = 1; >-} If you want to remove this code entirely (instead of preventing report.csv.tmpl from being called), then you should also remove obsolete code from reports/report.html.tmpl: [% IF debug %] [% FOREACH query = queries %] <p>[% query.sql FILTER html %]</p> [% END %] [% END %] In that case, you must also fix the description of the debug_group parameter which states that you can view debug data from reports. This statement is no longer true with the removal of the debug code above. IMO, a better solution would be to fallback to reports.html.tmpl instead of reports.csv.tmpl when debug=1.

(In reply to Frédéric Buclin from comment #43)

Could you give us a PoC explaining how to abuse chart.cgi?

There's a PoC in bug 1439786 comment 1.

IMO, a better solution would be to fallback to reports.html.tmpl instead of
reports.csv.tmpl when debug=1.

This makes sense... I'm not that familiar with the reporting code, so I took the fix Dylan had already provided (which seemed to have been vetted by BMO) and ran with it. While it does actually remove the vulnerability, you're right that it's removing a useful feature that could have the actual XSS fixed instead of just removing it wholesale.

Bouncing request for CVE to Tom. Our local pool of reserved IDs is empty and we'll have to request more.

Flags: needinfo?(dveditz) → needinfo?(tom)
Alias: CVE-2023-5206
Flags: needinfo?(tom)

OK, new set of patches for this incoming.

New philosophy, taking comment 43 into account. Instead of removing this feature, we're going to implement it properly.

  1. The dump() function in Bugzilla::Chart now returns the dumped data raw instead of html_sanitizing it and dumping it to standard out.
  2. debug_group is now checked in both CGIs (it was only being checked in report.cgi before, and debug=1 worked for anyone in chart.cgi
  3. Previous implementation had it dumping raw HTML before the template was output, which meant it was outside of the html entity. Proper browsers would probably ignore it, but instead they all just use quirks mode and it looks weird. We now feed the debug data to the template, and the template filters it on output (data sanitation philosophy: filter as close to the user as possible)
Attached patch patch for 4.4 branch (obsolete) — Splinter Review
Attachment #9350585 - Attachment is obsolete: true
Attachment #9401568 - Attachment is obsolete: true
Attachment #9350587 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: