Url-parameter XSS vulnerability in edit*.cgi

RESOLVED FIXED in Bugzilla 2.16

Status

()

Product:
Bugzilla
Component:
Administration
Status:
RESOLVED FIXED
Reported:
15 years ago
Modified:
6 years ago

People

(Reporter: jouni, Assigned: jouni)

Tracking

Version:
2.17.6
Target:
Bugzilla 2.16
Bug Flags:
approval +
blocking2.18 +
approval2.16 +
blocking2.16.6 +

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(1 attachment)

v1
2.90 KB, patch
justdave
: review+
kiko
: review+
Details | Diff | Splinter Review
(Assignee)

Description

15 years ago 
This is a minor one, but still:

If you manage to get an Bugzilla administrator to click an url like
http://bugzilla.mozilla.org/editmilestones.cgi?product=foo&milestone=bar&action=baz&hack=%3Cscript%3Ealert('hax0red')%3C/script%3E

The JavaScript is run in Bugzilla's security context, potentially leaking
cookies and so on.

Comment 1

15 years ago 
Yipee.  That's rather stupid. :)

editcomponents.cgi:860:    print "$_: $::FORM{$_}<BR>\n";
editgroups.cgi:646:    print "$_: $::FORM{$_}<BR>\n";
editmilestones.cgi:573:    print "$_: $::FORM{$_}<BR>\n";
editproducts.cgi:1516:    print "$_: $::FORM{$_}<BR>\n";
editusers.cgi:873:    print "$_: $::FORM{$_}<BR>\n";
editversions.cgi:548:    print "$_: $::FORM{$_}<BR>\n";
Summary: Url-parameter XSS vulnerability in editmilestones.cgi and editversions.cgi → Url-parameter XSS vulnerability in edit*.cgi

Comment 2

15 years ago 
Suggested fix: since the "I have no clue what you want" is based on the action
param, only dump the action param, and not the entire param list.  (And escape
it, too).
 (Assignee)

Comment 3

15 years ago 
I might even go further and remove the parameter printing totally. Who would
ever benefit even from printing out the action param? Duh.

Comment 4

15 years ago 
Yeah, I agree.  Get rid of all of them.
Blocks: 206037
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]
 (Assignee)

Comment 5

15 years ago 
I'll patch.
Assignee: justdave → jouni
 (Assignee)

Comment 6

15 years ago 
Created attachment 142351 [details] [diff] [review]
v1

Duh.
 (Assignee)

Updated

15 years ago
Attachment #142351 - Flags: review?(justdave)
 (Assignee)

Comment 7

15 years ago 
The patch fails for those admin files that have their loops already removed (see
bug 235222 patch v3). That's probably not relevant, since the bitrot is only
about removing some lines that have already been removed elsewhere; the patch
errors can just be skipped.
Status: NEW → ASSIGNED

Updated

15 years ago
Attachment #142351 - Flags: review?(kiko)

Comment 8

15 years ago 
Comment on attachment 142351 [details] [diff] [review]
v1

no-brainer
Attachment #142351 - Flags: review?(kiko) → review+

Updated

15 years ago
Flags: approval?

Comment 9

15 years ago 
Since this is ready now, are we still pushing this for 2.18rc1 or we're doing it
for 2.17.7?

Or maybe 2.17.7 got renamed to rc1? I assume we'll have to do the security
advisory thing and stuff for this before checking it in.

Comment 10

15 years ago 
holding approval for security advisory/release.  This will get checked in last
thing prior to the release getting tagged.
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Target Milestone: --- → Bugzilla 2.16
Flags: blocking2.18+
Flags: blocking2.16.6+
Flags: approval2.16?

Comment 11

15 years ago 
OK, check let's check this in NOW on the trunk (but hold off on 2.16 for now). 
We have too many other patches pending on the trunk that are going to conflict
with this, and it's getting in the way big time.  Just keep the commit log
message low profile for now.  "removing un-needed form value display code" or
something along those lines.
Flags: approval? → approval+
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [fixed in 2.18rc1]

Comment 12

15 years ago 
ok, checked in on the trunk.
Flags: approval2.16? → approval2.16+

Comment 13

15 years ago 
checked in on 2.16 branch
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Updated

15 years ago
Whiteboard: [ready for 2.16.6] [fixed in 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]

Comment 14

15 years ago 
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.