XSS vulnerability in SUMO error page

VERIFIED FIXED in 0.6

Status

support.mozilla.org
General
P1
blocker
VERIFIED FIXED
10 years ago
2 years ago

People

(Reporter: bsterne, Assigned: nkoth)

Tracking

({wsec-xss})

unspecified
wsec-xss

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: sumo_only, URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
One of the tiki error pages uses the the URL parameter "error" as its display message.  This can be used for XSS or simply website defacement.  Here is an example attack URL:

http://support.mozilla.com/tiki-error.php?error=<a+href="javascript:alert(document.cookie)">Click+Me</a>
(Reporter)

Updated

10 years ago
Group: webtools-security

Updated

10 years ago
Assignee: nobody → nelson
Severity: major → blocker
Priority: -- → P1
Target Milestone: --- → 0.6
(Assignee)

Comment 1

10 years ago
Created attachment 321667 [details] [diff] [review]
is this filtering enough?
Attachment #321667 - Flags: review?(laura)
(Assignee)

Updated

10 years ago
Status: NEW → ASSIGNED
(Reporter)

Comment 2

10 years ago
A couple of comments on the attached patch:

1) you probably don't need to re-assign $_REQUEST["error"] as its escaped self since you are later displaying it using the same escaping functions.

2) a better approach for this type of page would be to have a set of pre-determined error messages that can be chosen from by specifying an error ID in the URL.  This is better than echoing a string that an attacker can easily modify.

The patch as attached will fix the present issue, though.  Just my 0.02.

Comment 3

10 years ago
Comment on attachment 321667 [details] [diff] [review]
is this filtering enough?

Looks good to me.  Please commit ASAP.
Attachment #321667 - Flags: review?(laura) → review+
(Assignee)

Comment 4

10 years ago
in r13337

Comment 5

10 years ago
This was pushed in https://bugzilla.mozilla.org/show_bug.cgi?id=434670
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Group: webtools-security → websites-security
Group: websites-security
Group: websites-security
http://support.mozilla.com/tiki-error.php?error=<a+href="javascript:alert(document.cookie)">Click+Me</a> is verified FIXED; it just gives me "Error \n Click me".
Status: RESOLVED → VERIFIED
Whiteboard: sumo_only
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.