Closed
Bug 280464
Opened 20 years ago
Closed 18 years ago
XSS vulnerability in registry/file.cgi
Categories
(Webtools Graveyard :: Bonsai, defect)
Webtools Graveyard
Bonsai
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mikx, Assigned: justdave)
References
Details
(Keywords: wsec-xss)
Attachments
(1 file, 7 obsolete files)
8.25 KB,
patch
|
bear
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 http://webtools.mozilla.org/registry/who.cgi?email=%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://webtools.mozilla.org/registry/file.cgi?file=%3Cscript%3Ealert(document.cookie)%3C/script%3E Reproducible: Always
Updated•20 years ago
|
OS: Windows XP → All
Hardware: PC → All
this is at least partly a duplicate of bug 276985 which you reported. registry is shared between tinderbox and bonsai.
So the problem stems from the use of make_cgi_args. This function just takes the values from the url and re-encodes them so that they can be used in a link. It does no sanity checking so we're better off just not using it.
Comment on attachment 178967 [details] [diff] [review] Do not use make_cgi_args Argh! Wrong bug!
Attachment #178967 -
Attachment is obsolete: true
Attachment #178967 -
Flags: review?(timeless)
Comment 4•18 years ago
|
||
changing severity to major so this bubbles to the top of my bonsai todo list
Assignee: cls → bear
Severity: normal → major
Status: ASSIGNED → NEW
Updated•18 years ago
|
QA Contact: timeless → bonsai
Updated•18 years ago
|
Summary: XSS vulnerability in who.cgi and file.cgi → XSS vulnerability in registry/file.cgi
Comment 5•18 years ago
|
||
I think this should fix it.
Updated•18 years ago
|
Attachment #249973 -
Attachment is obsolete: true
Attachment #249973 -
Flags: review?(justdave)
Updated•18 years ago
|
Attachment #249972 -
Flags: review?(zach)
Assignee | ||
Comment 7•18 years ago
|
||
Comment on attachment 249972 [details] [diff] [review] patch - v1 yikes. This only partially fixes it. We've got a ton of unescaped stuff in the generated URLs still. The individual parameters to the URLs need to be encoded so that & and = are %codes if they occur within a parameter. The & characters in the URLs all need to be & as well. If I'm not mistaken, the whole point of registry is purely output formatting. If that's the case, this is a perfect candidate to be tossed into a template, which would probably make all the encoding/escaping issues easier to deal with, too.
Attachment #249972 -
Flags: review?(zach)
Attachment #249972 -
Flags: review?(justdave)
Attachment #249972 -
Flags: review-
Comment 8•18 years ago
|
||
Oops, I just had my use of url_encode() and html_quote() backwards. :) This should fix all the issues now.
Attachment #249972 -
Attachment is obsolete: true
Attachment #249981 -
Flags: review?(zach)
Attachment #249981 -
Flags: review?(justdave)
Assignee | ||
Comment 9•18 years ago
|
||
Comment on attachment 249981 [details] [diff] [review] patch - v2 a) Undefined subroutine &main::html_quote called at /opt/webtools/registry/file.cgi line 31. b) this only fixes file.cgi, who.cgi is reported with the same problem in comment 0
Attachment #249981 -
Flags: review?(zach)
Attachment #249981 -
Flags: review?(justdave)
Attachment #249981 -
Flags: review-
Assignee | ||
Comment 10•18 years ago
|
||
OK, both of these issues are addressed in bug 276985, whose patch needs to be applied first before this one. Setting dependency appropriately, will re-review in a moment.
Depends on: 276985
Assignee | ||
Comment 11•18 years ago
|
||
Comment on attachment 249981 [details] [diff] [review] patch - v2 ok, the review- still stands. With this patch applied, I still get the js alert in the testcase.
Assignee | ||
Comment 12•18 years ago
|
||
ok, after the changes given on IRC, the testcases here no longer work, but this one does: http://webtools.mozilla.org/registry/file.cgi?file=%22%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Assignee | ||
Comment 13•18 years ago
|
||
This is a wholesale replacement for file.cgi, there is NONE of the original code left. The entire thing is re-presentation of items passed in via the query string, so I moved the majority of the display logic into a template. As a consequence of being a wholesale rewrite, the license has also been changed from NPL to MPL.
Assignee: reed → justdave
Attachment #249981 -
Attachment is obsolete: true
Attachment #250142 -
Flags: review?
Assignee | ||
Comment 14•18 years ago
|
||
patch v3 is available for testing at http://webtools.mozilla.org/registry2/file.cgi That URL will go away once this is put into production.
Assignee | ||
Comment 15•18 years ago
|
||
removing the dependency... this patch also has no dependencies on the other bug (or on lloydcgi.pl, which can go away once the other one is checked in as well)
No longer depends on: 276985
Assignee | ||
Comment 16•18 years ago
|
||
Oh, this also adds a dependency on Template Toolkit. Anyone also running Bugzilla on the same machine will already have this present -- we didn't on dm-webtools01, I just had to install it for this.
Assignee | ||
Comment 17•18 years ago
|
||
Revised patch based on some IRC discussion. Gets rid of the <dt> usage, and fixes a couple code style nits in file.cgi.
Attachment #250142 -
Attachment is obsolete: true
Attachment #250143 -
Flags: review?
Attachment #250142 -
Flags: review?
Assignee | ||
Comment 18•18 years ago
|
||
Adds a DOCTYPE declaration, more general cleanup. Moves the processing of the "@extra" stuff into the template.
Attachment #250143 -
Attachment is obsolete: true
Attachment #250145 -
Flags: review?
Attachment #250143 -
Flags: review?
Assignee | ||
Comment 19•18 years ago
|
||
minor cleanup of the previous patch based on stuff learned doing who.cgi on bug 276985. The main reason for a new patch is the revised license header that says (C) 2007 instead of (C) 2006 ;)
Attachment #250145 -
Attachment is obsolete: true
Attachment #250147 -
Flags: review?
Attachment #250145 -
Flags: review?
Updated•18 years ago
|
Attachment #250147 -
Flags: review? → review+
Assignee | ||
Comment 20•18 years ago
|
||
Checking in file.cgi; /cvsroot/mozilla/webtools/registry/file.cgi,v <-- file.cgi new revision: 1.4; previous revision: 1.3 done RCS file: /cvsroot/mozilla/webtools/registry/file.html.tmpl,v done Checking in file.html.tmpl; /cvsroot/mozilla/webtools/registry/file.html.tmpl,v <-- file.html.tmpl initial revision: 1.1 done
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 21•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•8 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•