Closed Bug 386942 Opened 13 years ago Closed 12 years ago

[SECURITY] User Agent text should be HTML escaped

Categories

(Bugzilla :: Bugzilla-General, defect)

2.17.1
defect
Not set

Tracking

()

VERIFIED FIXED
Bugzilla 2.20

People

(Reporter: masa141421356, Assigned: LpSolit)

References

()

Details

(Whiteboard: [ready for all branches])

Attachments

(1 file, 2 obsolete files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; ja; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: 

At "Enter A Bug" page for Firefox,
Default value of Build Identifier is User Agent text.
But It is not HTML Escaped.


Reproducible: Always

Steps to Reproduce:
1.Chagnge User Agent text to contain "> 
  At Firefox, open about:config , and change general.useragent.extra.firefox to
  Firefox">/2.0.0.4
 
2.Open https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox&format=guided
3.Check Build Identifier text
3.
Actual Results:  
It is not HTML Escaped.

Expected Results:  
It should be HTML escaped.

I don't know this bug is XSS vulnerability or not.
I this bug is not XSS vulnerability, there is no reason to keep Security flag on.
useragents are between you, your browser, its extensions, your trusted proxy, and bugzilla.

if your trusted proxy isn't trustworthy it can just insert whatever it pleases whenever it pleases. similarly for everything else up the line.
Group: webtools-security
Folloing User-Agent causes to execute script.
Firefox"><script>alert("hello")</script>
I don't care if the source is supposed to be trusted on the client end, it came from the client's connection and we didn't escape it, and that's a problem.
Group: webtools-security
Flags: blocking3.1.1+
Flags: blocking3.0.1+
Flags: blocking2.22.3+
Flags: blocking2.20.5+
Target Milestone: --- → Bugzilla 2.20
This is Gerv's code he should know about it even if he's not the one to fix it.
template/en/default/bug/create/create-guided.html/tmpl:
      <input type="text" size="80" name="buildid" value="[% buildid %]">
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch patch, v1 (obsolete) — Splinter Review
Trivial fix. That's the only place where the UA doesn't pass through a regexp.
Assignee: general → LpSolit
Status: NEW → ASSIGNED
Attachment #271090 - Flags: review?(justdave)
Attached patch temporary.. (obsolete) — Splinter Review
i use this patch on our bugzilla site. (http://bugzilla.mozilla.gr.jp)
Comment on attachment 271090 [details] [diff] [review]
patch, v1

two of you came up with the same patch independently, and it's what I would have done myself, too, so it must be good ;)
Attachment #271090 - Flags: review?(justdave) → review+
OK, I checked in all supported versions and there is no other place where CGI->user_agent() is used in an untrusted way.
Flags: approval?
Flags: approval3.0?
Flags: approval2.22?
Flags: approval2.20?
Whiteboard: [ready for all branches]
Version: unspecified → 2.20.4
Attached patch patch, v1.1Splinter Review
I forgot to remove buildid from filterexceptions.pl.
Attachment #271090 - Attachment is obsolete: true
Attachment #271091 - Attachment is obsolete: true
Attachment #271123 - Flags: review?(justdave)
Comment on attachment 271123 [details] [diff] [review]
patch, v1.1

ah, yes, I was meaning to ask earlier what justification was used for adding it there to begin with (hence why it passed the test anyway)
Attachment #271123 - Flags: review?(justdave) → review+
This is not a security problem; you can't XSS yourself. However, if the build ID were to include a "<" character, then the page would render incorrectly, so it's appropriate to fix it.

Gerv
(In reply to comment #12)
> This is not a security problem; you can't XSS yourself. However, if the build
> ID were to include a "<" character, then the page would render incorrectly, so
> it's appropriate to fix it.
No, This is XSS vulnerability!

If URL Parameter "buildid" exists in request, create-guided.html/tmpl uses its value instead of UA string.

Following url causes XSS.
https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird&format=guided&reproducible=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

Workaround: NoScript can block this XSS.
Summary: User Agent text shoule be HTML escaped → User Agent text and buildid url parameter shoule be HTML escaped
OK, now that _is_ an XSS :-( The problem here is that the build ID was originally always taken from the UA (no problem) but then someone asked for the possibility of passing it as a URL parameter, and we added that. This introduced the XSS problem and we didn't notice. Drat.

Lesson: we should presume even more in favour of filtering when in doubt.

Gerv
Summary: User Agent text and buildid url parameter shoule be HTML escaped → User Agent text shoule be HTML escaped
Blocks: 389843
Summary: User Agent text shoule be HTML escaped → User Agent text should be HTML escaped
For the record, buildid was introduced in bug 133559 for Bugzilla 2.17.1. At that time, buildid was only taken from the UA. Then bug 308950 implemented the ability to pass it as a parameter, which would overwrite the UA. This was for Bugzilla 2.23.4. So if you trust your UA, only 2.23.4 and higher are "really" affected by this bug, but this field has never been escaped, even in 2.17.1.
Summary: User Agent text should be HTML escaped → [SECURITY] User Agent text should be HTML escaped
Version: 2.20.4 → 2.17.1
Flags: approval?
Flags: approval3.0?
Flags: approval3.0+
Flags: approval2.22?
Flags: approval2.22+
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
tip:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.106; previous revision: 1.105
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.40; previous revision: 1.39
done


3.0:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.95.2.1; previous revision: 1.95
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.36.2.2; previous revision: 1.36.2.1
done


2.22.2:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.61.2.6; previous revision: 1.61.2.5
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.26.4.5; previous revision: 1.26.4.4
done


2.20.4:

Checking in template/en/default/filterexceptions.pl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v  <--  filterexceptions.pl
new revision: 1.43.2.7; previous revision: 1.43.2.6
done
Checking in template/en/default/bug/create/create-guided.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/bug/create/create-guided.html.tmpl,v  <--  create-guided.html.tmpl
new revision: 1.26.2.3; previous revision: 1.26.2.2
done
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Security advisory from Bug 389843 sent, unlocking bug.
Group: webtools-security
Verified at b.m.o. and checkins at bonsai.
Status: RESOLVED → VERIFIED
List of Security Adviseries in security information sites.

NIST:CVE-2007-4543.
 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4543
SecurityFocus:Bugtraq ID 25425
 http://www.securityfocus.com/bid/25425
FRSIRT:ADV-2007-2977
 http://www.frsirt.com/english/advisories/2007/2977
SECTRACK:1018604
 http://www.securitytracker.com/id?1018604
SECUNIA:26584
 http://secunia.com/advisories/26584
XF:bugzilla-buildid-xss(36241)
 http://xforce.iss.net/xforce/xfdb/36241 
You need to log in before you can comment on or make changes to this bug.