Closed
Bug 179329
Opened 22 years ago
Closed 22 years ago
HTML-unsafe characters need to be escaped in quips
Categories
(Bugzilla :: Bugzilla-General, defect, P1)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
FIXED
Bugzilla 2.18
People
(Reporter: brant, Assigned: justdave)
References
()
Details
Attachments
(2 files)
|
575 bytes,
patch
|
justdave
:
review+
|
Details | Diff | Splinter Review |
|
499 bytes,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021108
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2b) Gecko/20021108
Somebody included <i> in a quip on this page so the second half of the page is
italicized.
Reproducible: Always
Steps to Reproduce:
1. Look at the sample page code/rendering.
Actual Results:
The bracket characters are not escaped.
Expected Results:
The bracket characters need to be escaped.
This is a potential security issue since somebody could add some unauthorized
javascript. I am making this critical for that reason.
|
Assignee | |
Updated•22 years ago
|
Blocks: 179176
Group: webtools-security
Severity: critical → blocker
Keywords: regression
Priority: -- → P1
Summary: HTML-unsafe characters need to be escaped → HTML-unsafe characters need to be escaped in quips
Target Milestone: --- → Bugzilla 2.18
|
||
Comment 1•22 years ago
|
||
|
|
Assignee | |
Comment 2•22 years ago
|
||
Comment on attachment 105739 [details] [diff] [review]
patch v1: filters quips (2.16.1/2.17)
r=justdave
a=justdave
Attachment #105739 -
Flags: review+
|
|
||
Comment 3•22 years ago
|
||
Checking in template/en/default/list/quips.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/list/quips.html.tmpl,v
<-- quips.html.tmpl
new revision: 1.6; previous revision: 1.5
done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Comment 4•22 years ago
|
||
* THIS ONE AFFECTS 2.12, 2.14 and 2.16 *
to 2002/11/11 00:19:41 US/Pacific
Quips from the quips.cgi page were not html escaped.
*However*, to be affected an html quip must have been entered on a
bugzilla installation, updated before 2000/07/27 20:10:16. Quips
containing "<" were disallowed after that. IOW, 2.12 and greater are
basically safe, since I can't think of an exploit you can do w/o the '<' character.
Leaving closed for justdave to deal with a possible advisory.
|
|
Assignee | |
Updated•22 years ago
|
Attachment #105739 -
Attachment description: patch v1: filters quips → patch v1: filters quips (2.16.1/2.17)
|
|
Assignee | |
Comment 5•22 years ago
|
||
|
|
Assignee | |
Comment 6•22 years ago
|
||
Checked into 2.16 branch:
Checking in template/en/default/list/quips.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/list/quips.html.tmpl,v
<-- quips.html.tmpl
new revision: 1.4.2.2; previous revision: 1.4.2.1
done
Checked into 2.14 branch:
Checking in quips.cgi;
/cvsroot/mozilla/webtools/bugzilla/quips.cgi,v <-- quips.cgi
new revision: 1.1.2.1; previous revision: 1.1
done
clearing security bit, advisory has been posted.
Group: webtools-security
Flags: approval+
|
|
Assignee | |
Comment 7•22 years ago
|
||
Date: Tue, 26 Nov 2002 15:34:12 -0500
To: announce@bugzilla.org, mozilla-webtools@mozilla.org,
bugtraq@securityfocus.com
From: David Miller <justdave@syndicomm.com>
Subject: XSS vulnerability in Bugzilla if upgraded from 2.10 or earlier
Bugzilla Security Advisory
November 26th, 2002
Severity: Minor
Summary
=======
The Bugzilla team recently discovered a cross-site scripting vulnerability.
The vulnerability, present in Bugzilla's 'quips' feature, affects all
installations who originally installed Bugzilla 2.10 or earlier and which
have been upgraded from there.
If you originally installed version 2.12 (released 2001 Apr 27) or later,
or you have never had quips enabled, then you are not vulnerable to this
attack.
Vulnerability Details
=====================
This vulnerability affects installations using the "quips" feature to put
short, user-submitted phrases at the top of bug lists.
2.10 and earlier versions allowed users to enter unchecked input which was
displayed as-entered back to the user. Version 2.12 and later attempted to
fix this problem by preventing users from entering HTML in new quips, and
also escaping existing quips when displaying them to users in the bug list.
However, the output of existing quips from "show all quips" choice on the
quips management page was not properly escaped, so any *existing* quips
still in the database from before the input checks were put in place would
be displayed to a user with unescaped HTML if they chose to view a list of
all of the existing quips at once.
If you originally installed a version older than 2.12, had quips enabled,
and have not cleaned up your quips database since you upgraded to 2.12,
your installation may contain scripting attacks in your quips file from
ages ago, still able to affect end users.
Vulnerability Solutions
=======================
The best way to fix this vulnerability is to audit the contents of your
quips file.
Quips are stored in the file 'data/comments' in Bugzilla 2.14.x and 2.16.x,
and in the database, in a 'quips' table, in 2.17.x).
In addition to auditing quips, Bugzilla administrators can also force quips
to be properly encoded to prevent HTML attacks by applying one of the following
one-line patches.
The Bugzilla team recommends both auditing your quips and applying the patches.
Because of the low severity of this vulnerability, the small size of the
required changes to fix it, and the small number of installations believed in
existence at the point in time when this was corrected for new installations, we
have not released any updated versions of Bugzilla, however, these fixes have
been checked into the associated branches (so if you update via CVS you'll get
them) and will be included in any future versions we release.
Please note that Bugzilla 2.14.x will no longer be supported after December 31,
2002, so Bugzilla 2.14.x sites are encouraged to upgrade to 2.16.1.
Patch for Bugzilla 2.14.4:
Index: quips.cgi
===================================================================
RCS file: /cvsroot/mozilla/webtools/bugzilla/quips.cgi,v
retrieving revision 1.1
diff -u -r1.1 quips.cgi
--- quips.cgi 29 May 2001 04:01:48 -0000 1.1
+++ quips.cgi 22 Nov 2002 21:04:08 -0000
@@ -49,7 +49,7 @@
if (open (COMMENTS, "<data/comments")) {
while (<COMMENTS>) {
- print $_,"<br>\n";
+ print html_quote($_),"<br>\n";
}
close COMMENTS;
}
Patch for Bugzilla 2.16.1:
Index: template/en/default/list/quips.html.tmpl
===================================================================
RCS file:
/cvsroot/mozilla/webtools/bugzilla/template/en/default/list/quips.html.tmpl,v
retrieving revision 1.4.2.1
diff -u -r1.4.2.1 quips.html.tmpl
--- template/en/default/list/quips.html.tmpl 23 May 2002 08:14:23 -0000 1.4.2.1
+++ template/en/default/list/quips.html.tmpl 22 Nov 2002 21:19:22 -0000
@@ -59,7 +59,7 @@
</h2>
<ul>
[% FOREACH quip = quips %]
- <li>[% quip %]</li>
+ <li>[% quip FILTER html %]</li>
[% END %]
</ul>
[% ELSE %]
For Bugzilla 2.17 from CVS:
Run a 'cvs update' to pick up the fix.
Bugzilla 2.17.1 already contains this fix.
For More Information
====================
References: Bugzilla bug 179329
http://bugzilla.mozilla.org/show_bug.cgi?id=179329
General information about the Bugzilla bug-tracking system can be found at
http://www.bugzilla.org/
Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools mailing
list; http://www.mozilla.org/community.html has directions for accessing
these forums.
--
Dave Miller Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/ http://www.bugzilla.org/
Status: RESOLVED → VERIFIED
Keywords: regression
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•