Last Comment Bug 386942 - [SECURITY] User Agent text should be HTML escaped
: [SECURITY] User Agent text should be HTML escaped
Status: VERIFIED FIXED
[ready for all branches]
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: 2.17.1
: All All
: -- normal (vote)
: Bugzilla 2.20
Assigned To: Frédéric Buclin
: default-qa
Mentors:
https://bugzilla.mozilla.org/enter_bu...
Depends on:
Blocks: 389843
  Show dependency treegraph
 
Reported: 2007-07-05 02:38 PDT by Masahiro YAMADA
Modified: 2007-09-03 17:06 PDT (History)
4 users (show)
LpSolit: approval+
justdave: blocking3.1.1+
LpSolit: approval3.0+
justdave: blocking3.0.1+
LpSolit: approval2.22+
justdave: blocking2.22.3+
LpSolit: approval2.20+
justdave: blocking2.20.5+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (919 bytes, patch)
2007-07-05 11:01 PDT, Frédéric Buclin
justdave: review+
Details | Diff | Review
temporary.. (916 bytes, patch)
2007-07-05 11:02 PDT, A. Shimono [:himorin]
no flags Details | Diff | Review
patch, v1.1 (1.45 KB, patch)
2007-07-05 14:33 PDT, Frédéric Buclin
justdave: review+
Details | Diff | Review

Description Masahiro YAMADA 2007-07-05 02:38:18 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; ja; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: 

At "Enter A Bug" page for Firefox,
Default value of Build Identifier is User Agent text.
But It is not HTML Escaped.


Reproducible: Always

Steps to Reproduce:
1.Chagnge User Agent text to contain "> 
  At Firefox, open about:config , and change general.useragent.extra.firefox to
  Firefox">/2.0.0.4
 
2.Open https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox&format=guided
3.Check Build Identifier text
3.
Actual Results:  
It is not HTML Escaped.

Expected Results:  
It should be HTML escaped.

I don't know this bug is XSS vulnerability or not.
I this bug is not XSS vulnerability, there is no reason to keep Security flag on.
Comment 1 timeless 2007-07-05 02:47:50 PDT
useragents are between you, your browser, its extensions, your trusted proxy, and bugzilla.

if your trusted proxy isn't trustworthy it can just insert whatever it pleases whenever it pleases. similarly for everything else up the line.
Comment 2 Masahiro YAMADA 2007-07-05 02:56:02 PDT
Folloing User-Agent causes to execute script.
Firefox"><script>alert("hello")</script>
Comment 3 Dave Miller [:justdave] (justdave@bugzilla.org) 2007-07-05 10:38:18 PDT
I don't care if the source is supposed to be trusted on the client end, it came from the client's connection and we didn't escape it, and that's a problem.
Comment 4 Dave Miller [:justdave] (justdave@bugzilla.org) 2007-07-05 10:56:57 PDT
This is Gerv's code he should know about it even if he's not the one to fix it.
Comment 5 Dave Miller [:justdave] (justdave@bugzilla.org) 2007-07-05 10:57:33 PDT
template/en/default/bug/create/create-guided.html/tmpl:
      <input type="text" size="80" name="buildid" value="[% buildid %]">
Comment 6 Frédéric Buclin 2007-07-05 11:01:18 PDT
Created attachment 271090 [details] [diff] [review]
patch, v1

Trivial fix. That's the only place where the UA doesn't pass through a regexp.
Comment 7 A. Shimono [:himorin] 2007-07-05 11:02:21 PDT
Created attachment 271091 [details] [diff] [review]
temporary..

i use this patch on our bugzilla site. (http://bugzilla.mozilla.gr.jp)
Comment 8 Dave Miller [:justdave] (justdave@bugzilla.org) 2007-07-05 11:06:44 PDT
Comment on attachment 271090 [details] [diff] [review]
patch, v1

two of you came up with the same patch independently, and it's what I would have done myself, too, so it must be good ;)
Comment 9 Frédéric Buclin 2007-07-05 11:20:55 PDT
OK, I checked in all supported versions and there is no other place where CGI->user_agent() is used in an untrusted way.
Comment 10 Frédéric Buclin 2007-07-05 14:33:49 PDT
Created attachment 271123 [details] [diff] [review]
patch, v1.1

I forgot to remove buildid from filterexceptions.pl.
Comment 11 Dave Miller [:justdave] (justdave@bugzilla.org) 2007-07-05 16:07:36 PDT
Comment on attachment 271123 [details] [diff] [review]
patch, v1.1

ah, yes, I was meaning to ask earlier what justification was used for adding it there to begin with (hence why it passed the test anyway)
Comment 12 Gervase Markham [:gerv] 2007-07-11 03:25:35 PDT
This is not a security problem; you can't XSS yourself. However, if the build ID were to include a "<" character, then the page would render incorrectly, so it's appropriate to fix it.

Gerv
Comment 13 Masahiro YAMADA 2007-07-11 03:52:19 PDT
(In reply to comment #12)
> This is not a security problem; you can't XSS yourself. However, if the build
> ID were to include a "<" character, then the page would render incorrectly, so
> it's appropriate to fix it.
No, This is XSS vulnerability!

If URL Parameter "buildid" exists in request, create-guided.html/tmpl uses its value instead of UA string.

Following url causes XSS.
https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird&format=guided&reproducible=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Workaround: NoScript can block this XSS.
Comment 14 Gervase Markham [:gerv] 2007-07-11 03:58:43 PDT
OK, now that _is_ an XSS :-( The problem here is that the build ID was originally always taken from the UA (no problem) but then someone asked for the possibility of passing it as a URL parameter, and we added that. This introduced the XSS problem and we didn't notice. Drat.

Lesson: we should presume even more in favour of filtering when in doubt.

Gerv
Comment 16 Frédéric Buclin 2007-08-16 01:58:19 PDT
For the record, buildid was introduced in bug 133559 for Bugzilla 2.17.1. At that time, buildid was only taken from the UA. Then bug 308950 implemented the ability to pass it as a parameter, which would overwrite the UA. This was for Bugzilla 2.23.4. So if you trust your UA, only 2.23.4 and higher are "really" affected by this bug, but this field has never been escaped, even in 2.17.1.
Comment 17 Frédéric Buclin 2007-08-23 08:38:12 PDT
tip:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.106; previous revision: 1.105
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.40; previous revision: 1.39
done


3.0:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.95.2.1; previous revision: 1.95
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.36.2.2; previous revision: 1.36.2.1
done


2.22.2:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.61.2.6; previous revision: 1.61.2.5
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.26.4.5; previous revision: 1.26.4.4
done


2.20.4:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.43.2.7; previous revision: 1.43.2.6
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.26.2.3; previous revision: 1.26.2.2
done
Comment 18 Max Kanat-Alexander 2007-08-23 14:03:13 PDT
Security advisory from Bug 389843 sent, unlocking bug.
Comment 19 Masahiro YAMADA 2007-08-23 20:05:38 PDT
Verified at b.m.o. and checkins at bonsai.
Comment 20 Masahiro YAMADA 2007-09-03 17:06:29 PDT
List of Security Adviseries in security information sites.

NIST:CVE-2007-4543.
 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4543
SecurityFocus:Bugtraq ID 25425
 http://www.securityfocus.com/bid/25425
FRSIRT:ADV-2007-2977
 http://www.frsirt.com/english/advisories/2007/2977
SECTRACK:1018604
 http://www.securitytracker.com/id?1018604
SECUNIA:26584
 http://secunia.com/advisories/26584
XF:bugzilla-buildid-xss(36241)
 http://xforce.iss.net/xforce/xfdb/36241 

Note You need to log in before you can comment on or make changes to this bug.