Closed Bug 235265 Opened 19 years ago Closed 19 years ago

Url-parameter XSS vulnerability in edit*.cgi


(Bugzilla :: Administration, task)

Not set



Bugzilla 2.16


(Reporter: jouni, Assigned: jouni)



(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])


(1 file)

This is a minor one, but still:

If you manage to get an Bugzilla administrator to click an url like'hax0red')%3C/script%3E

The JavaScript is run in Bugzilla's security context, potentially leaking
cookies and so on.
Yipee.  That's rather stupid. :)

editcomponents.cgi:860:    print "$_: $::FORM{$_}<BR>\n";
editgroups.cgi:646:    print "$_: $::FORM{$_}<BR>\n";
editmilestones.cgi:573:    print "$_: $::FORM{$_}<BR>\n";
editproducts.cgi:1516:    print "$_: $::FORM{$_}<BR>\n";
editusers.cgi:873:    print "$_: $::FORM{$_}<BR>\n";
editversions.cgi:548:    print "$_: $::FORM{$_}<BR>\n";
Summary: Url-parameter XSS vulnerability in editmilestones.cgi and editversions.cgi → Url-parameter XSS vulnerability in edit*.cgi
Suggested fix: since the "I have no clue what you want" is based on the action
param, only dump the action param, and not the entire param list.  (And escape
it, too).
I might even go further and remove the parameter printing totally. Who would
ever benefit even from printing out the action param? Duh.
Yeah, I agree.  Get rid of all of them.
Blocks: 206037
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]
I'll patch.
Assignee: justdave → jouni
Attached patch v1Splinter Review
Attachment #142351 - Flags: review?(justdave)
The patch fails for those admin files that have their loops already removed (see
bug 235222 patch v3). That's probably not relevant, since the bitrot is only
about removing some lines that have already been removed elsewhere; the patch
errors can just be skipped.
Attachment #142351 - Flags: review?(kiko)
Comment on attachment 142351 [details] [diff] [review]

Attachment #142351 - Flags: review?(kiko) → review+
Flags: approval?
Since this is ready now, are we still pushing this for 2.18rc1 or we're doing it
for 2.17.7?

Or maybe 2.17.7 got renamed to rc1? I assume we'll have to do the security
advisory thing and stuff for this before checking it in.
Attachment #142351 - Flags: review?(justdave)
holding approval for security advisory/release.  This will get checked in last
thing prior to the release getting tagged.
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Target Milestone: --- → Bugzilla 2.16
Flags: blocking2.18+
Flags: blocking2.16.6+
Flags: approval2.16?
OK, check let's check this in NOW on the trunk (but hold off on 2.16 for now). 
We have too many other patches pending on the trunk that are going to conflict
with this, and it's getting in the way big time.  Just keep the commit log
message low profile for now.  "removing un-needed form value display code" or
something along those lines.
Flags: approval? → approval+
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [fixed in 2.18rc1]
ok, checked in on the trunk.
Flags: approval2.16? → approval2.16+
checked in on 2.16 branch
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.6] [fixed in 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.