Closed Bug 319085 Opened 14 years ago Closed 14 years ago

XSS with the "product=" parameter of editproducts.cgi

Categories

(Bugzilla :: Administration, task)

2.18.4
task
Not set

Tracking

()

RESOLVED DUPLICATE of bug 206037

People

(Reporter: mkanat, Unassigned)

Details

Tim Brown <timb@nth-dimension.org.uk> reports:

Bugzilla 2.18.4, 2.20

Injection of malicious Javascript is possible by modification of the product parameter of editproducts.cgi.  Since this CGI is designed to be requested using the GET method, the URL including malicious code can then be distributed via email.


I'm marking this as normal, because it's an admin CGI. I don't believe this is exploitable by an end user, except in an email to an admin (could attack an admin by sending a tinyurl).
Which param are you talking about, 'product'? And for which action of editproducts.cgi? The only field which is not filtered is the product description, and it's so by design. If an admin is stupid enough to inject malicious JS code here, then this Bugzilla installation doesn't worth to be considered.

Marking WFM but keeping the sec flag for now till we have more information.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Target Milestone: Bugzilla 2.18 → ---
looks like a dupe of bug 26257 or bug 281181.
Adding reporter for bug access.
(In reply to comment #0)
> Tim Brown <timb@nth-dimension.org.uk> reports:
> 
> Bugzilla 2.18.4, 2.20
> 
> Injection of malicious Javascript is possible by modification of the product
> parameter of editproducts.cgi.  Since this CGI is designed to be requested
> using the GET method, the URL including malicious code can then be distributed
> via email.
> 
> 
> I'm marking this as normal, because it's an admin CGI. I don't believe this is
> exploitable by an end user, except in an email to an admin (could attack an
> admin by sending a tinyurl).
> 

(In reply to comment #2)
> looks like a dupe of bug 26257 or bug 281181.
> 

Nope, not unless you choose to call the entire class of malicious Javascript injection *1* bug.  It's exploitable by a completely unauthenticated user, assuming they can get an admin to click on their link, which might not be that hard since most people will consider their Bugzilla trust worthy.  Under these circumstance, I believe it may possible to send malicious URLs to exploit browser bugs and compromise the users system and also to compromise their Bugzilla session.  Try browsing to http://hostname/path/to/bugzilla/editproducts.cgi?action=edit&product=<script>alert(document.cookie)</script> and logging in when prompted.
(In reply to comment #4)
> Bugzilla session.  Try browsing to
> http://hostname/path/to/bugzilla/editproducts.cgi?action=edit&product=<script>alert(document.cookie)</script>
> and logging in when prompted.


I already did that. And I get, using 2.21.1:

Specified Product Does Not Exist

 The product '<script>alert(document.cookie)</script>' does not exist.


*But* I can indeed reproduce this bug using 2.20. Looking at this problem a bit further it appears to be a dupe of bug 206037.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

*** This bug has been marked as a duplicate of 206037 ***
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → DUPLICATE
bug 206037 has been fixed.
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.