Closed Bug 235265 Opened 21 years ago Closed 21 years ago

Url-parameter XSS vulnerability in edit*.cgi

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Version:
2.17.6
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: jouni, Assigned: jouni)

References

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(1 file)

v1
2.90 KB, patch
justdave
: review+
kiko
: review+
Details | Diff | Splinter Review
This is a minor one, but still: If you manage to get an Bugzilla administrator to click an url like http://bugzilla.mozilla.org/editmilestones.cgi?product=foo&milestone=bar&action=baz&hack=%3Cscript%3Ealert('hax0red')%3C/script%3E The JavaScript is run in Bugzilla's security context, potentially leaking cookies and so on.
Yipee. That's rather stupid. :) editcomponents.cgi:860: print "$_: $::FORM{$_}<BR>\n"; editgroups.cgi:646: print "$_: $::FORM{$_}<BR>\n"; editmilestones.cgi:573: print "$_: $::FORM{$_}<BR>\n"; editproducts.cgi:1516: print "$_: $::FORM{$_}<BR>\n"; editusers.cgi:873: print "$_: $::FORM{$_}<BR>\n"; editversions.cgi:548: print "$_: $::FORM{$_}<BR>\n";
Summary: Url-parameter XSS vulnerability in editmilestones.cgi and editversions.cgi → Url-parameter XSS vulnerability in edit*.cgi
Suggested fix: since the "I have no clue what you want" is based on the action param, only dump the action param, and not the entire param list. (And escape it, too).
I might even go further and remove the parameter printing totally. Who would ever benefit even from printing out the action param? Duh.
Yeah, I agree. Get rid of all of them.
Blocks: 206037
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]
I'll patch.
Assignee: justdave → jouni
Attached patch v1Splinter Review
Duh.
Attachment #142351 - Flags: review?(justdave)
The patch fails for those admin files that have their loops already removed (see bug 235222 patch v3). That's probably not relevant, since the bitrot is only about removing some lines that have already been removed elsewhere; the patch errors can just be skipped.
Status: NEW → ASSIGNED
Attachment #142351 - Flags: review?(kiko)
Comment on attachment 142351 [details] [diff] [review] v1 no-brainer
Attachment #142351 - Flags: review?(kiko) → review+
Flags: approval?
Since this is ready now, are we still pushing this for 2.18rc1 or we're doing it for 2.17.7? Or maybe 2.17.7 got renamed to rc1? I assume we'll have to do the security advisory thing and stuff for this before checking it in.
Attachment #142351 - Flags: review?(justdave)
holding approval for security advisory/release. This will get checked in last thing prior to the release getting tagged.
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Target Milestone: --- → Bugzilla 2.16
Flags: blocking2.18+
Flags: blocking2.16.6+
Flags: approval2.16?
OK, check let's check this in NOW on the trunk (but hold off on 2.16 for now). We have too many other patches pending on the trunk that are going to conflict with this, and it's getting in the way big time. Just keep the commit log message low profile for now. "removing un-needed form value display code" or something along those lines.
Flags: approval? → approval+
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [fixed in 2.18rc1]
ok, checked in on the trunk.
Flags: approval2.16? → approval2.16+
checked in on 2.16 branch
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.6] [fixed in 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: