Closed Bug 280464 Opened 20 years ago Closed 18 years ago

XSS vulnerability in registry/file.cgi

Categories

(Webtools Graveyard :: Bonsai, defect)

Product:
Webtools Graveyard
Component:
Bonsai
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mikx, Assigned: justdave)

References

Details

(Keywords: wsec-xss)

Attachments

(1 file, 7 obsolete files)

Patch v5.1
8.25 KB, patch
bear
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

http://webtools.mozilla.org/registry/who.cgi?email=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://webtools.mozilla.org/registry/file.cgi?file=%3Cscript%3Ealert(document.cookie)%3C/script%3E



Reproducible: Always
OS: Windows XP → All
Hardware: PC → All
this is at least partly a duplicate of bug 276985 which you reported. registry
is shared between tinderbox and bonsai.
Attached patch Do not use make_cgi_args (obsolete) — Splinter Review 
So the problem stems from the use of make_cgi_args.  This function just takes
the values from the url and re-encodes them so that they can be used in a link.
 It does no sanity checking so we're better off just not using it.
Assignee: tara → cls
Status: UNCONFIRMED → ASSIGNED
Attachment #178967 - Flags: review?(timeless)
Comment on attachment 178967 [details] [diff] [review]
Do not use make_cgi_args

Argh! Wrong bug!
Attachment #178967 - Attachment is obsolete: true
Attachment #178967 - Flags: review?(timeless)
changing severity to major so this bubbles to the top of my bonsai todo list
Assignee: cls → bear
Severity: normal → major
Status: ASSIGNED → NEW
QA Contact: timeless → bonsai
Summary: XSS vulnerability in who.cgi and file.cgi → XSS vulnerability in registry/file.cgi
Attached patch patch - v1 (obsolete) — Splinter Review 
I think this should fix it.
Assignee: bear → reed
Status: NEW → ASSIGNED
Attachment #249972 - Flags: review?(justdave)
Attached patch patch - v1 (obsolete) — Splinter Review 
I think this should fix it.
Attachment #249973 - Flags: review?(justdave)
Attachment #249973 - Attachment is obsolete: true
Attachment #249973 - Flags: review?(justdave)
Attachment #249972 - Flags: review?(zach)
Comment on attachment 249972 [details] [diff] [review]
patch - v1

yikes.

This only partially fixes it.  We've got a ton of unescaped stuff in the generated URLs still.

The individual parameters to the URLs need to be encoded so that & and = are %codes if they occur within a parameter.  The & characters in the URLs all need to be & as well.

If I'm not mistaken, the whole point of registry is purely output formatting.  If that's the case, this is a perfect candidate to be tossed into a template, which would probably make all the encoding/escaping issues easier to deal with, too.
Attachment #249972 - Flags: review?(zach)
Attachment #249972 - Flags: review?(justdave)
Attachment #249972 - Flags: review-
Attached patch patch - v2 (obsolete) — Splinter Review 
Oops, I just had my use of url_encode() and html_quote() backwards. :)

This should fix all the issues now.
Attachment #249972 - Attachment is obsolete: true
Attachment #249981 - Flags: review?(zach)
Attachment #249981 - Flags: review?(justdave)
Comment on attachment 249981 [details] [diff] [review]
patch - v2

a) Undefined subroutine &main::html_quote called at /opt/webtools/registry/file.cgi line 31.

b) this only fixes file.cgi, who.cgi is reported with the same problem in comment 0
Attachment #249981 - Flags: review?(zach)
Attachment #249981 - Flags: review?(justdave)
Attachment #249981 - Flags: review-
OK, both of these issues are addressed in bug 276985, whose patch needs to be applied first before this one.  Setting dependency appropriately, will re-review in a moment.
Depends on: 276985
Comment on attachment 249981 [details] [diff] [review]
patch - v2

ok, the review- still stands.  With this patch applied, I still get the js alert in the testcase.
ok, after the changes given on IRC, the testcases here no longer work, but this one does:

http://webtools.mozilla.org/registry/file.cgi?file=%22%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Attached patch Patch v3 (obsolete) — Splinter Review 
This is a wholesale replacement for file.cgi, there is NONE of the original code left.  The entire thing is re-presentation of items passed in via the query string, so I moved the majority of the display logic into a template.

As a consequence of being a wholesale rewrite, the license has also been changed from NPL to MPL.
Assignee: reed → justdave
Attachment #249981 - Attachment is obsolete: true
Attachment #250142 - Flags: review?
patch v3 is available for testing at http://webtools.mozilla.org/registry2/file.cgi

That URL will go away once this is put into production.
removing the dependency... this patch also has no dependencies on the other bug (or on lloydcgi.pl, which can go away once the other one is checked in as well)
No longer depends on: 276985
Oh, this also adds a dependency on Template Toolkit. Anyone also running Bugzilla on the same machine will already have this present -- we didn't on dm-webtools01, I just had to install it for this.
Attached patch Patch v4 (obsolete) — Splinter Review 
Revised patch based on some IRC discussion.  Gets rid of the <dt> usage, and fixes a couple code style nits in file.cgi.
Attachment #250142 - Attachment is obsolete: true
Attachment #250143 - Flags: review?
Attachment #250142 - Flags: review?
Attached patch Patch v5 (obsolete) — Splinter Review 
Adds a DOCTYPE declaration, more general cleanup.  Moves the processing of the "@extra" stuff into the template.
Attachment #250143 - Attachment is obsolete: true
Attachment #250145 - Flags: review?
Attachment #250143 - Flags: review?
Attached patch Patch v5.1Splinter Review 
minor cleanup of the previous patch based on stuff learned doing who.cgi on bug 276985.  The main reason for a new patch is the revised license header that says (C) 2007 instead of (C) 2006 ;)
Attachment #250145 - Attachment is obsolete: true
Attachment #250147 - Flags: review?
Attachment #250145 - Flags: review?
Blocks: 365619
Attachment #250147 - Flags: review? → review+
Checking in file.cgi;
/cvsroot/mozilla/webtools/registry/file.cgi,v  <--  file.cgi
new revision: 1.4; previous revision: 1.3
done
RCS file: /cvsroot/mozilla/webtools/registry/file.html.tmpl,v
done
Checking in file.html.tmpl;
/cvsroot/mozilla/webtools/registry/file.html.tmpl,v  <--  file.html.tmpl
initial revision: 1.1
done
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: