Url-parameter XSS vulnerability in edit*.cgi

RESOLVED FIXED in Bugzilla 2.16

Status

()

RESOLVED FIXED
15 years ago
6 years ago

People

(Reporter: jouni, Assigned: jouni)

Tracking

2.17.6
Bugzilla 2.16
Bug Flags:
approval +
blocking2.18 +
approval2.16 +
blocking2.16.6 +

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(1 attachment)

(Assignee)

Description

15 years ago
This is a minor one, but still:

If you manage to get an Bugzilla administrator to click an url like
http://bugzilla.mozilla.org/editmilestones.cgi?product=foo&milestone=bar&action=baz&hack=%3Cscript%3Ealert('hax0red')%3C/script%3E

The JavaScript is run in Bugzilla's security context, potentially leaking
cookies and so on.
Yipee.  That's rather stupid. :)

editcomponents.cgi:860:    print "$_: $::FORM{$_}<BR>\n";
editgroups.cgi:646:    print "$_: $::FORM{$_}<BR>\n";
editmilestones.cgi:573:    print "$_: $::FORM{$_}<BR>\n";
editproducts.cgi:1516:    print "$_: $::FORM{$_}<BR>\n";
editusers.cgi:873:    print "$_: $::FORM{$_}<BR>\n";
editversions.cgi:548:    print "$_: $::FORM{$_}<BR>\n";
Summary: Url-parameter XSS vulnerability in editmilestones.cgi and editversions.cgi → Url-parameter XSS vulnerability in edit*.cgi
Suggested fix: since the "I have no clue what you want" is based on the action
param, only dump the action param, and not the entire param list.  (And escape
it, too).
(Assignee)

Comment 3

15 years ago
I might even go further and remove the parameter printing totally. Who would
ever benefit even from printing out the action param? Duh.
Yeah, I agree.  Get rid of all of them.
Blocks: 206037
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]
(Assignee)

Comment 5

15 years ago
I'll patch.
Assignee: justdave → jouni
(Assignee)

Comment 6

15 years ago
Created attachment 142351 [details] [diff] [review]
v1

Duh.
(Assignee)

Updated

15 years ago
Attachment #142351 - Flags: review?(justdave)
(Assignee)

Comment 7

15 years ago
The patch fails for those admin files that have their loops already removed (see
bug 235222 patch v3). That's probably not relevant, since the bitrot is only
about removing some lines that have already been removed elsewhere; the patch
errors can just be skipped.
Status: NEW → ASSIGNED

Updated

15 years ago
Attachment #142351 - Flags: review?(kiko)

Comment 8

15 years ago
Comment on attachment 142351 [details] [diff] [review]
v1

no-brainer
Attachment #142351 - Flags: review?(kiko) → review+

Updated

15 years ago
Flags: approval?

Comment 9

15 years ago
Since this is ready now, are we still pushing this for 2.18rc1 or we're doing it
for 2.17.7?

Or maybe 2.17.7 got renamed to rc1? I assume we'll have to do the security
advisory thing and stuff for this before checking it in.
holding approval for security advisory/release.  This will get checked in last
thing prior to the release getting tagged.
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Target Milestone: --- → Bugzilla 2.16
Flags: blocking2.18+
Flags: blocking2.16.6+
Flags: approval2.16?
OK, check let's check this in NOW on the trunk (but hold off on 2.16 for now). 
We have too many other patches pending on the trunk that are going to conflict
with this, and it's getting in the way big time.  Just keep the commit log
message low profile for now.  "removing un-needed form value display code" or
something along those lines.
Flags: approval? → approval+
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [fixed in 2.18rc1]
ok, checked in on the trunk.
Flags: approval2.16? → approval2.16+

Comment 13

15 years ago
checked in on 2.16 branch
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Updated

15 years ago
Whiteboard: [ready for 2.16.6] [fixed in 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.