Closed Bug 463055 (WH-1628152) Opened 11 years ago Closed 11 years ago

XSS vulns on tiki-listpages.php

Categories

(support.mozilla.org :: Knowledge Base Software, task, critical)

task
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: reed, Assigned: reed)

References

()

Details

(Keywords: wsec-xss, Whiteboard: sumo_only)

Attachments

(2 files, 1 obsolete file)

Assignee: nobody → laura
Target Milestone: --- → 0.7.2
r19584 fixed this one too.
Status: NEW → RESOLVED
Closed: 11 years ago
Keywords: push-needed
Resolution: --- → FIXED
Group: websites-security
Group: websites-security
Verified FIXED on https://support-stage.mozilla.org/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x%28a:whs%28%29%29&sort_mode=pageName_asc&maxRecords=10:

Notice: invalid variable value: $_GET["offset"] = " STYLE="background-image: x(a:whs())
Status: RESOLVED → VERIFIED
Summary: XSS vuln on tiki-listpages.php → XSS vulns on tiki-listpages.php
Target Milestone: 0.7.2 → 0.8.1
Resolved as per Bug 463068 -  (WH-1628438) XSS vulns on tiki-orphan_pages.php
r21561/r21562
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
I don't get it; all of the URLs in comment 3 give me "invalid variable value" whether or not I'm logged in (similar to comment 2).
(In reply to comment #5)
> I don't get it; all of the URLs in comment 3 give me "invalid variable value"
> whether or not I'm logged in (similar to comment 2).

Scroll down.
Verified FIXED with the URLs in comment 3 changed to use support-stage; thanks to Reed for pointing out the obvious in comment 6, I was able to see the problem on production but not on staging.
Status: RESOLVED → VERIFIED
Attached patch Escape 'categId' param - v1 (obsolete) — Splinter Review
Attachment #361237 - Flags: review?(smirkingsisyphus)
Attachment #361237 - Flags: review?(smirkingsisyphus) → review+
Comment on attachment 361237 [details] [diff] [review]
Escape 'categId' param - v1

Ideally, we should be using {$var|escape:"url"} for variables being displayed in link urls, but it's irrelevant in this case. 'categId' should only be passed integers, anyway.
I changed my usage to escape:"url", as well as fixing the usage of the 'find' param's escapage. Carrying over review. I'll commit this shortly.
Attachment #361237 - Attachment is obsolete: true
Attachment #361479 - Flags: review+
Committed as r22119 / r22120.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Keywords: push-needed
Resolution: --- → FIXED
'find' param

http://support.mozilla.com/tiki-listpages.php?sort_mode=pageName_asc&find=%00%22whscheck=%22whscheck()&lang=&categId=&maxRecords=10&search=Find
Status: RESOLVED → REOPENED
Keywords: push-needed
Resolution: FIXED → ---
Target Milestone: 0.8.3 → 1.0
              <td style="text-align:right;" class="heading"><a class="tableheading" href="/tiki-listpages.php?offset=0&amp;sort_mode=lang_desc&amp;find="whscheck="whscheck()">Language</a>
      </td>
My patch in bug 463068 takes care of this one, too.

stephend, please QA.
Assignee: laura → reed
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
On staging:

 <td style="text-align:right;" class="heading"><a class="tableheading" href="/tiki-listpages.php?offset=3020&amp;sort_mode=lang_desc&amp;find=%22whscheck%3D%22whscheck%28%29">Language</a>
      </td>

Verified FIXED on http://support-stage.mozilla.org/tiki-listpages.php?sort_mode=pageName_asc&find=%22whscheck%3D%22whscheck%28%29&lang=&categId=&maxRecords=10&search=Find
Status: RESOLVED → VERIFIED
Another one...

    Create Page: <a href="/tiki-editpage.php?page="whscheck="whscheck()" title="Create"> "whscheck="whscheck()</a>
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Target Milestone: 0.9.5 → 1.0
Definitely needs QA, as I worry about the double quotes here...

<a href="tiki-editpage.php?page={$find|escape:"url"}"

Should I use escape:'url' there, or is it fine as-is?
Attachment #369218 - Flags: review?(smirkingsisyphus)
Comment on attachment 369218 [details] [diff] [review]
Fix issue found in comment #17 - v1

The use of "" is fine since it's within something parsed by smarty.

The patch behaves as expected locally.
Attachment #369218 - Flags: review?(smirkingsisyphus) → review+
r23794/r23795
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
How do I trigger comment 17?  URL, please?
Verified FIXED;

https://support-stage.mozilla.org/tiki-listpages.php?sort_mode=pageName_asc&find=%22whscheck%3D%22whscheck%28%29&lang=&categId=&maxRecords=10&search=Find has:

Create Page: <a href="/tiki-editpage.php?page=%22whscheck%3D%22whscheck%28%29" title="Create"> &quot;whscheck=&quot;whscheck()</a>
Status: RESOLVED → VERIFIED
Whiteboard: sumo_only
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.