Closed
Bug 463055
(WH-1628152)
Opened 17 years ago
Closed 16 years ago
XSS vulns on tiki-listpages.php
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
1.0
People
(Reporter: reed, Assigned: reed)
References
()
Details
(Keywords: wsec-xss, Whiteboard: sumo_only)
Attachments
(2 files, 1 obsolete file)
|
18.19 KB,
patch
|
reed
:
review+
|
Details | Diff | Splinter Review |
|
623 bytes,
patch
|
ecooper
:
review+
|
Details | Diff | Splinter Review |
|
||
Updated•17 years ago
|
Assignee: nobody → laura
Target Milestone: --- → 0.7.2
|
Assignee | |
Updated•17 years ago
|
Group: websites-security
|
|
Assignee | |
Updated•17 years ago
|
Group: websites-security
|
||
Comment 2•16 years ago
|
||
Verified FIXED on https://support-stage.mozilla.org/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x%28a:whs%28%29%29&sort_mode=pageName_asc&maxRecords=10:
Notice: invalid variable value: $_GET["offset"] = " STYLE="background-image: x(a:whs())
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 3•16 years ago
|
||
Still some open vectors:
http://support.mozilla.com/tiki-listpages.php?initial=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=10&sort_mode=pageName_asc
https://support.mozilla.com/tiki-listpages.php?offset=0&sort_mode=user_desc&initial=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=10
http://support.mozilla.com/tiki-listpages.php?offset=0&sort_mode=pageName_asc&initial=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=10
http://support.mozilla.com/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x(a:whs())&sort_mode=pageName_asc&maxRecords=10
https://support.mozilla.com/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x(a:whs())&sort_mode=pageName_desc&maxRecords=10
https://support.mozilla.com/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x(a:whs())&sort_mode=user_desc&initial=i&maxRecords=10
http://support.mozilla.com/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x(a:whs())&sort_mode=lang_desc
http://support.mozilla.com/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x(a:whs())&sort_mode=pageName_asc&initial=w&maxRecords=10
http://support.mozilla.com/tiki-listpages.php?offset=%22%20STYLE=%22background-image:%20x(a:whs())&sort_mode=pageName_desc&maxRecords=10
|
|
Assignee | |
Updated•16 years ago
|
Summary: XSS vuln on tiki-listpages.php → XSS vulns on tiki-listpages.php
|
|
||
Updated•16 years ago
|
Target Milestone: 0.7.2 → 0.8.1
|
|
||
Comment 4•16 years ago
|
||
Resolved as per Bug 463068 - (WH-1628438) XSS vulns on tiki-orphan_pages.php
r21561/r21562
Status: REOPENED → RESOLVED
Closed: 17 years ago → 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 5•16 years ago
|
||
|
|
Assignee | |
Comment 6•16 years ago
|
||
(In reply to comment #5)
> I don't get it; all of the URLs in comment 3 give me "invalid variable value"
> whether or not I'm logged in (similar to comment 2).
Scroll down.
|
|
||
Comment 7•16 years ago
|
||
Verified FIXED with the URLs in comment 3 changed to use support-stage; thanks to Reed for pointing out the obvious in comment 6, I was able to see the problem on production but not on staging.
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 8•16 years ago
|
||
Sentinel found that the categId param isn't being properly escaped.
https://support.mozilla.com/tiki-listpages.php?sort_mode=pageName_asc&offset=3020&find=&lang=&categId=%22whscheck=%22whscheck()&maxRecords=10&search=Find
http://support.mozilla.com/tiki-listpages.php?sort_mode=pageName_asc&find=&lang=&categId=%22whscheck=%22whscheck%28%29&maxRecords=10&search=Find
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Target Milestone: 0.8.1 → 0.8.3
|
|
Assignee | |
Comment 9•16 years ago
|
||
Attachment #361237 -
Flags: review?(smirkingsisyphus)
|
|
||
Updated•16 years ago
|
Attachment #361237 -
Flags: review?(smirkingsisyphus) → review+
|
|
||
Comment 10•16 years ago
|
||
Comment on attachment 361237 [details] [diff] [review]
Escape 'categId' param - v1
Ideally, we should be using {$var|escape:"url"} for variables being displayed in link urls, but it's irrelevant in this case. 'categId' should only be passed integers, anyway.
|
|
Assignee | |
Comment 11•16 years ago
|
||
I changed my usage to escape:"url", as well as fixing the usage of the 'find' param's escapage. Carrying over review. I'll commit this shortly.
Attachment #361237 -
Attachment is obsolete: true
Attachment #361479 -
Flags: review+
|
|
Assignee | |
Comment 12•16 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Keywords: push-needed
Resolution: --- → FIXED
|
|
Assignee | |
Comment 13•16 years ago
|
||
Status: RESOLVED → REOPENED
Keywords: push-needed
Resolution: FIXED → ---
Target Milestone: 0.8.3 → 1.0
|
|
Assignee | |
Comment 14•16 years ago
|
||
<td style="text-align:right;" class="heading"><a class="tableheading" href="/tiki-listpages.php?offset=0&sort_mode=lang_desc&find="whscheck="whscheck()">Language</a>
</td>
|
|
Assignee | |
Comment 15•16 years ago
|
||
My patch in bug 463068 takes care of this one, too.
stephend, please QA.
Assignee: laura → reed
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
On staging:
<td style="text-align:right;" class="heading"><a class="tableheading" href="/tiki-listpages.php?offset=3020&sort_mode=lang_desc&find=%22whscheck%3D%22whscheck%28%29">Language</a>
</td>
Verified FIXED on http://support-stage.mozilla.org/tiki-listpages.php?sort_mode=pageName_asc&find=%22whscheck%3D%22whscheck%28%29&lang=&categId=&maxRecords=10&search=Find
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 17•16 years ago
|
||
Another one...
Create Page: <a href="/tiki-editpage.php?page="whscheck="whscheck()" title="Create"> "whscheck="whscheck()</a>
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Target Milestone: 0.9.5 → 1.0
|
|
Assignee | |
Comment 18•16 years ago
|
||
Definitely needs QA, as I worry about the double quotes here...
<a href="tiki-editpage.php?page={$find|escape:"url"}"
Should I use escape:'url' there, or is it fine as-is?
Attachment #369218 -
Flags: review?(smirkingsisyphus)
|
|
||
Comment 19•16 years ago
|
||
Comment on attachment 369218 [details] [diff] [review]
Fix issue found in comment #17 - v1
The use of "" is fine since it's within something parsed by smarty.
The patch behaves as expected locally.
Attachment #369218 -
Flags: review?(smirkingsisyphus) → review+
|
|
Assignee | |
Comment 20•16 years ago
|
||
r23794/r23795
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
How do I trigger comment 17? URL, please?
|
|
Assignee | |
Comment 22•16 years ago
|
||
(In reply to comment #21)
> How do I trigger comment 17? URL, please?
http://support.mozilla.com/tiki-listpages.php?sort_mode=pageName_asc&find=%00%22whscheck=%22whscheck()&lang=&categId=&maxRecords=10&search=Find
Need to be logged-in, though.
Verified FIXED;
https://support-stage.mozilla.org/tiki-listpages.php?sort_mode=pageName_asc&find=%22whscheck%3D%22whscheck%28%29&lang=&categId=&maxRecords=10&search=Find has:
Create Page: <a href="/tiki-editpage.php?page=%22whscheck%3D%22whscheck%28%29" title="Create"> "whscheck="whscheck()</a>
Status: RESOLVED → VERIFIED
|
|
||
Updated•15 years ago
|
Whiteboard: sumo_only
|
|
||
Comment 24•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Comment 25•9 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•