Note: There are a few cases of duplicates in user autocompletion which are being worked on.

[SECURITY] User Agent text should be HTML escaped

VERIFIED FIXED in Bugzilla 2.20

Status

()

Bugzilla
Bugzilla-General
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: Masahiro YAMADA, Assigned: Frédéric Buclin)

Tracking

2.17.1
Bugzilla 2.20
Bug Flags:
approval +
blocking3.1.1 +
approval3.0 +
blocking3.0.1 +
approval2.22 +
blocking2.22.3 +
approval2.20 +
blocking2.20.5 +

Details

(Whiteboard: [ready for all branches], URL)

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; ja; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: 

At "Enter A Bug" page for Firefox,
Default value of Build Identifier is User Agent text.
But It is not HTML Escaped.


Reproducible: Always

Steps to Reproduce:
1.Chagnge User Agent text to contain "> 
  At Firefox, open about:config , and change general.useragent.extra.firefox to
  Firefox">/2.0.0.4
 
2.Open https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox&format=guided
3.Check Build Identifier text
3.
Actual Results:  
It is not HTML Escaped.

Expected Results:  
It should be HTML escaped.

I don't know this bug is XSS vulnerability or not.
I this bug is not XSS vulnerability, there is no reason to keep Security flag on.

Comment 1

10 years ago
useragents are between you, your browser, its extensions, your trusted proxy, and bugzilla.

if your trusted proxy isn't trustworthy it can just insert whatever it pleases whenever it pleases. similarly for everything else up the line.
Group: webtools-security
(Reporter)

Comment 2

10 years ago
Folloing User-Agent causes to execute script.
Firefox"><script>alert("hello")</script>
I don't care if the source is supposed to be trusted on the client end, it came from the client's connection and we didn't escape it, and that's a problem.
Group: webtools-security
Flags: blocking3.1.1+
Flags: blocking3.0.1+
Flags: blocking2.22.3+
Flags: blocking2.20.5+
Target Milestone: --- → Bugzilla 2.20
This is Gerv's code he should know about it even if he's not the one to fix it.
template/en/default/bug/create/create-guided.html/tmpl:
      <input type="text" size="80" name="buildid" value="[% buildid %]">
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 6

10 years ago
Created attachment 271090 [details] [diff] [review]
patch, v1

Trivial fix. That's the only place where the UA doesn't pass through a regexp.
Assignee: general → LpSolit
Status: NEW → ASSIGNED
Attachment #271090 - Flags: review?(justdave)

Comment 7

10 years ago
Created attachment 271091 [details] [diff] [review]
temporary..

i use this patch on our bugzilla site. (http://bugzilla.mozilla.gr.jp)
Comment on attachment 271090 [details] [diff] [review]
patch, v1

two of you came up with the same patch independently, and it's what I would have done myself, too, so it must be good ;)
Attachment #271090 - Flags: review?(justdave) → review+
(Assignee)

Comment 9

10 years ago
OK, I checked in all supported versions and there is no other place where CGI->user_agent() is used in an untrusted way.
Flags: approval?
Flags: approval3.0?
Flags: approval2.22?
Flags: approval2.20?
Whiteboard: [ready for all branches]
Version: unspecified → 2.20.4
(Assignee)

Comment 10

10 years ago
Created attachment 271123 [details] [diff] [review]
patch, v1.1

I forgot to remove buildid from filterexceptions.pl.
Attachment #271090 - Attachment is obsolete: true
Attachment #271091 - Attachment is obsolete: true
Attachment #271123 - Flags: review?(justdave)
Comment on attachment 271123 [details] [diff] [review]
patch, v1.1

ah, yes, I was meaning to ask earlier what justification was used for adding it there to begin with (hence why it passed the test anyway)
Attachment #271123 - Flags: review?(justdave) → review+
This is not a security problem; you can't XSS yourself. However, if the build ID were to include a "<" character, then the page would render incorrectly, so it's appropriate to fix it.

Gerv
(Reporter)

Comment 13

10 years ago
(In reply to comment #12)
> This is not a security problem; you can't XSS yourself. However, if the build
> ID were to include a "<" character, then the page would render incorrectly, so
> it's appropriate to fix it.
No, This is XSS vulnerability!

If URL Parameter "buildid" exists in request, create-guided.html/tmpl uses its value instead of UA string.

Following url causes XSS.
https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird&format=guided&reproducible=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Workaround: NoScript can block this XSS.
(Reporter)

Updated

10 years ago
Summary: User Agent text shoule be HTML escaped → User Agent text and buildid url parameter shoule be HTML escaped
OK, now that _is_ an XSS :-( The problem here is that the build ID was originally always taken from the UA (no problem) but then someone asked for the possibility of passing it as a URL parameter, and we added that. This introduced the XSS problem and we didn't notice. Drat.

Lesson: we should presume even more in favour of filtering when in doubt.

Gerv
(Reporter)

Comment 15

10 years ago
> https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird&format=guided&reproducible=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
> 
s/reproducible/buildid

(Reporter)

Updated

10 years ago
Summary: User Agent text and buildid url parameter shoule be HTML escaped → User Agent text shoule be HTML escaped
(Assignee)

Updated

10 years ago
Blocks: 389843

Updated

10 years ago
Summary: User Agent text shoule be HTML escaped → User Agent text should be HTML escaped
(Assignee)

Comment 16

10 years ago
For the record, buildid was introduced in bug 133559 for Bugzilla 2.17.1. At that time, buildid was only taken from the UA. Then bug 308950 implemented the ability to pass it as a parameter, which would overwrite the UA. This was for Bugzilla 2.23.4. So if you trust your UA, only 2.23.4 and higher are "really" affected by this bug, but this field has never been escaped, even in 2.17.1.
Summary: User Agent text should be HTML escaped → [SECURITY] User Agent text should be HTML escaped
Version: 2.20.4 → 2.17.1
(Assignee)

Updated

10 years ago
Flags: approval?
Flags: approval3.0?
Flags: approval3.0+
Flags: approval2.22?
Flags: approval2.22+
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
(Assignee)

Comment 17

10 years ago
tip:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.106; previous revision: 1.105
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.40; previous revision: 1.39
done


3.0:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.95.2.1; previous revision: 1.95
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.36.2.2; previous revision: 1.36.2.1
done


2.22.2:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.61.2.6; previous revision: 1.61.2.5
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.26.4.5; previous revision: 1.26.4.4
done


2.20.4:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.43.2.7; previous revision: 1.43.2.6
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.26.2.3; previous revision: 1.26.2.2
done
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 18

10 years ago
Security advisory from Bug 389843 sent, unlocking bug.
Group: webtools-security
(Reporter)

Comment 19

10 years ago
Verified at b.m.o. and checkins at bonsai.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 20

10 years ago
List of Security Adviseries in security information sites.

NIST:CVE-2007-4543.
 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4543
SecurityFocus:Bugtraq ID 25425
 http://www.securityfocus.com/bid/25425
FRSIRT:ADV-2007-2977
 http://www.frsirt.com/english/advisories/2007/2977
SECTRACK:1018604
 http://www.securitytracker.com/id?1018604
SECUNIA:26584
 http://secunia.com/advisories/26584
XF:bugzilla-buildid-xss(36241)
 http://xforce.iss.net/xforce/xfdb/36241 
You need to log in before you can comment on or make changes to this bug.