Bug 468621 (WH-1664236)

XSS vuln on tiki-print.php

VERIFIED FIXED in 0.8.1

Status

support.mozilla.org
Knowledge Base Software
--
critical
VERIFIED FIXED
10 years ago
2 years ago

People

(Reporter: reed, Assigned: ecooper)

Tracking

({wsec-xss})

unspecified
0.8.1
wsec-xss

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: tiki_test, URL)

Attachments

(1 attachment)

Updated

10 years ago
Target Milestone: --- → 0.8.1
(Assignee)

Updated

10 years ago
Assignee: nobody → smirkingsisyphus
(Assignee)

Comment 1

10 years ago
Created attachment 356882 [details] [diff] [review]
Escapes tr_offset

A few more things in the urls could potentially be escaped, but I'm not sure where everything is coming from...so I stuck to making sure the provided vectors were taken care of.
Attachment #356882 - Flags: review?(laura)

Updated

10 years ago
Attachment #356882 - Flags: review?(laura) → review+

Comment 2

10 years ago
In  trunk r21578, prod branch r21579.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Verified FIXED on http://support-stage.mozilla.org/tiki-print.php?locale=en-US&page=Thanks+For+Signing+Up&tr_offset=%22%20STYLE=%22background-image:%20x%28a:whs%28%29%29&tr_sort_mode=lastModif_desc 

-and-

http://support-stage.mozilla.org/tiki-print.php?locale=en-US&page=Thanks+For+Signing+Up&tr_initial=&tr_sort_mode=f_31_asc&tr_offset=%22%20STYLE=%22background-image:%20x%28a:whs%28%29%29 (my location bar is escaping those URLs).

On staging, we're escaping the tags and outputting: "STYLE%3D%22background-image%3A+x%28a%3Awhs%28%29%29"

On prod, we're outputting: "STYLE="background-image: x(a:whs())""

Verified FIXED
Status: RESOLVED → VERIFIED
s/tags/attribute, I think, but you get the gist...

Updated

9 years ago
Whiteboard: tiki_triage

Updated

9 years ago
Whiteboard: tiki_triage → tiki_test
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.