Last Comment Bug 146447 - cross-site scripting bug with bugzilla user's name
: cross-site scripting bug with bugzilla user's name
Status: RESOLVED FIXED
[SECURITY] applied to 2.14.2
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: 2.15
: All All
: -- major (vote)
: Bugzilla 2.14
Assigned To: Dave Miller [:justdave] (justdave@bugzilla.org)
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-05-23 08:40 PDT by Jan Moesen
Modified: 2012-12-18 20:46 PST (History)
3 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
backported patch to 2.14.1 (723 bytes, patch)
2002-05-23 14:29 PDT, Myk Melez [:myk] [@mykmelez]
gerv: review+
justdave: review+
Details | Diff | Splinter Review
part 2 (1.32 KB, patch)
2002-05-25 21:31 PDT, Bradley Baetz (:bbaetz)
gerv: review+
matty_is_a_geek: review+
Details | Diff | Splinter Review

Description User image Jan Moesen 2002-05-23 08:40:00 PDT
I changed my full name to <b>Jan!</b> and that worked (as in: bold font).
Similary, when I changed it to

Jan! <script>alert("XSS: see bug #!\n\n" + document.cookie)</script>

that ran the script without a hitch. This is a simple way to steal people's
cookies, and should be avoided, by escaping/"de-HTML-ing" any and all user input.
Comment 1 User image Bradley Baetz (:bbaetz) 2002-05-23 14:21:30 PDT
-> security group

I think I fixed this for 2.16/2.17 when I did the general html filtering
cleanup. That was templated, so it can't be backported to 2.14.
Comment 2 User image Myk Melez [:myk] [@mykmelez] 2002-05-23 14:29:38 PDT
Created attachment 84823 [details] [diff] [review]
backported patch to 2.14.1

This problem is already fixed on the tip, and this patch just fixed it on b.m.o
and also applies to the 2.14.1 branch.
Comment 3 User image Gervase Markham [:gerv] 2002-05-23 15:31:00 PDT
Comment on attachment 84823 [details] [diff] [review]
backported patch to 2.14.1

r=gerv.

Gerv
Comment 4 User image Jan Moesen 2002-05-23 16:20:48 PDT
seems to wfm :-)
thanks for fixing
Comment 5 User image Bradley Baetz (:bbaetz) 2002-05-23 22:09:59 PDT
Did "Jan!" change the user name back? This morning, I got an alert, and not I
don't, but I don't see the <script> tags at all, even escaped.

Did any other place need this (assignee and/or bug comment?)
Comment 6 User image Bradley Baetz (:bbaetz) 2002-05-23 23:06:06 PDT
Wanted for 2.14.2. (BTW, we should be using a groupset query rather than status
whiteboard for security bugs, now we have our own group)
Comment 7 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-23 23:13:05 PDT
Comment on attachment 84823 [details] [diff] [review]
backported patch to 2.14.1

r= justdave

pretty obvious.
Comment 8 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-05-23 23:14:35 PDT
leave the security bit set and change the status whiteboard to "applied to
2.14.2" after you check it in.  That's what I'm looking for for buglist of what
went into it when we release it.
Comment 9 User image Jan Moesen 2002-05-24 01:02:47 PDT
Re: #5, Bradley Baetz: yes, I changed my name. Any and all tags are now escaped,
or so it seems.
Comment 10 User image Gervase Markham [:gerv] 2002-05-25 01:59:31 PDT
Checked in to branch BUGZILLA-2_14_1-BRANCH (note: it needs to be made more
clear on www.bugzilla.org what the branch name is.)

Checking in bug_form.pl;
/cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v  <--  bug_form.pl
new revision: 1.70.2.3; previous revision: 1.70.2.2
done

Gerv
Comment 11 User image Bradley Baetz (:bbaetz) 2002-05-25 21:22:31 PDT
No, they're not... New patch coming.
Comment 12 User image Bradley Baetz (:bbaetz) 2002-05-25 21:31:38 PDT
Created attachment 85079 [details] [diff] [review]
part 2

This fixes the other usages of realname in bugform.pl for 2.14. This has
already been fixed for 2.16.

Do we use realname anywhere else? Its value_quote'd in editusers.cgi.
Comment 13 User image Gervase Markham [:gerv] 2002-05-26 00:11:00 PDT
Comment on attachment 85079 [details] [diff] [review]
part 2

r=gerv; I'll take you word for it that there aren't any more.

Should we be searching every CGI for these? :-|

Gerv
Comment 14 User image Matthew Tuck [:CodeMachine] 2002-05-26 00:16:47 PDT
Yes Gerv, we decided on IRC that's your job.
Comment 15 User image Bradley Baetz (:bbaetz) 2002-05-26 00:19:44 PDT
I grepped 2.14 for DBID_to_real_or_loginname, and that was it. I don't know of
anywhere else we currently use the realname. Do you?

I went through 2.16 a while back to fix these issues, although I didn't consider
the security aspect. I don't know if what I did could be considered an audit,
though.
Comment 16 User image Gervase Markham [:gerv] 2002-05-26 00:22:52 PDT
I meant "should we check everywhere we print something without escaping it
first?" That would be a big job...

Gerv
Comment 17 User image Bradley Baetz (:bbaetz) 2002-05-26 00:29:49 PDT
As I said, I tried to do that a while back, on the template stuff. I got
everywhere I noticed, but that doesn't mean that I got everywhere...
Comment 18 User image Gervase Markham [:gerv] 2002-05-26 00:33:37 PDT
Yes, but you did it for 2.16, didn't you? I'm talking about 2.14.2.

Gerv
Comment 19 User image J. Paul Reed [:preed] 2002-05-27 21:01:37 PDT
Comment on attachment 85079 [details] [diff] [review]
part 2

Looks good to me, but I agree w/ Gerv... maybe someone needs to audit the
source for this; are we *sure* this doesn't affect 2.16rc1?
Comment 20 User image Bradley Baetz (:bbaetz) 2002-05-27 21:07:26 PDT
Checked into the branch. Anyone who wants to audit, feel free.
Comment 21 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2002-06-08 00:01:39 PDT
2.14.2 is out, removing security group.

Note You need to log in before you can comment on or make changes to this bug.