Closed
Bug 468626
(WH-1704994)
Opened 16 years ago
Closed 16 years ago
XSS vulns on tiki-poll_results.php
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
0.8.2
People
(Reporter: reed, Assigned: ecooper)
References
()
Details
(Keywords: wsec-xss, Whiteboard: tiki_test)
Attachments
(3 files)
|
2.61 KB,
patch
|
laura
:
review+
|
Details | Diff | Splinter Review |
|
480 bytes,
patch
|
Details | Diff | Splinter Review | |
|
373.32 KB,
image/png
|
Details |
Screenshot
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-15&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-10-07&vote_to_date=2008-12-06&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-15&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-10-07&vote_to_date=2008-12-06&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=0&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-09-15&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-09-15&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=0&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-12-06&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-12-06&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-10-07&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-10-07&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
|
||
Updated•16 years ago
|
Target Milestone: --- → 0.8.1
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → smirkingsisyphus
|
|
Assignee | |
Comment 1•16 years ago
|
||
Attachment #356879 -
Flags: review?(laura)
|
|
||
Updated•16 years ago
|
Attachment #356879 -
Flags: review?(laura) → review+
|
|
||
Comment 2•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 4•16 years ago
|
||
So close!
One more to go:
http://support.mozilla.com/tiki-poll_results.php?pollId=%22whscheck=%22whscheck()
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Target Milestone: 0.8.1 → 0.8.2
|
|
Assignee | |
Comment 5•16 years ago
|
||
Jeez.
I wonder if it'd be better to just add some code to Smarty::assign (probably in webroot/setup_smarty.php) to escape outputs unless specified otherwise. At least then all the sanitizing would take place at the same layer and save us a bunch of XSS headaches.
Then again, at this point, we'd need to refactor a lot of smarty code to prevent double-escapes.
|
|
||
Comment 6•16 years ago
|
||
Greenfields, this would be the right way to do it. However, some issues:
1. We have no tests to spot regressions.
2. I'm fairly sure that this would cost a lot of time and effort in testing, QA, and just recoding. Would most likely need doing in a new branch.
3. The reason Smarty supports different types of escaping is that output needs to be escaped differently depending on where it's going. This will mean in places we'll end up unescaping and re-escaping appropriately. It's a similar problem to turning on magic quotes.
So, given that I think we've closed off the WH vectors (bar one), the right way to proceed is:
- Start writing tests (needs doing anyway)
- Sometime, when we have time - which won't be this quarter, we are already behind - make a branch and experiment with making a global change to see how much stuff breaks.
|
|
Assignee | |
Comment 7•16 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
|
||
Comment 8•16 years ago
|
||
Is this fixed, per the screenshot?
|
|
||
Comment 9•16 years ago
|
||
Can't tell from screenshot but view source says yes (please confirm).
(In reply to comment #9)
> Can't tell from screenshot but view source says yes (please confirm).
Sorry, yeah; now I remember:
staging: <input type="hidden" name="pollId" value=""whscheck="whscheck()"/>
prod: <input type="hidden" name="pollId" value=""whscheck="whscheck()"/>
Verified FIXED.
Status: RESOLVED → VERIFIED
|
||
Updated•16 years ago
|
Whiteboard: tiki_triage
|
||
Updated•15 years ago
|
Whiteboard: tiki_triage → tiki_test
|
||
Comment 11•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Comment 12•9 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•