Bug 468626 (WH-1704994)

XSS vulns on tiki-poll_results.php

VERIFIED FIXED in 0.8.2

Status

--
critical
VERIFIED FIXED
10 years ago
3 years ago

People

(Reporter: reed, Assigned: ecooper)

Tracking

({wsec-xss})

unspecified
0.8.2
wsec-xss

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: tiki_test, URL)

Attachments

(3 attachments)

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-15&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-10-07&vote_to_date=2008-12-06&maxRecords=30

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-15&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-09-22&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=%22%20STYLE=%22background-image:%20x(a:whs())&vote_from_date=2008-10-07&vote_to_date=2008-12-06&maxRecords=30

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-14&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=0&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30

http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-09-15&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-09-15&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
https://support.mozilla.com/tiki-poll_results.php?scoresort_desc=0&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30

https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-11-21&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-12-06&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=%22%20STYLE=%22background-image:%20x(a:whs())&vote_to_date=2008-12-06&maxRecords=30

https://support.mozilla.com/tiki-poll_results.php?scoresort_asc=4&vote_from_date=2008-09-22&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_desc=4&vote_from_date=2008-10-07&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30
http://support.mozilla.com/tiki-poll_results.php?locale=en-US&scoresort_asc=4&vote_from_date=2008-10-07&vote_to_date=%22%20STYLE=%22background-image:%20x(a:whs())&maxRecords=30

Updated

10 years ago
Target Milestone: --- → 0.8.1
(Assignee)

Updated

10 years ago
Assignee: nobody → smirkingsisyphus
(Assignee)

Comment 1

10 years ago
Created attachment 356879 [details] [diff] [review]
Escapes various params passed to tiki-poll_results.php
Attachment #356879 - Flags: review?(laura)

Updated

10 years ago
Attachment #356879 - Flags: review?(laura) → review+
In trunk r21585, prod r21586.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Verified FIXED on staging.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 4

10 years ago
So close!

One more to go:

http://support.mozilla.com/tiki-poll_results.php?pollId=%22whscheck=%22whscheck()
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Target Milestone: 0.8.1 → 0.8.2
(Assignee)

Comment 5

10 years ago
Created attachment 357971 [details] [diff] [review]
Escapes pollId

Jeez. 

I wonder if it'd be better to just add some code to Smarty::assign (probably in webroot/setup_smarty.php) to escape outputs unless specified otherwise. At least then all the sanitizing would take place at the same layer and save us a bunch of XSS headaches.

Then again, at this point, we'd need to refactor a lot of smarty code to prevent double-escapes.
Greenfields, this would be the right way to do it.  However, some issues:
1. We have no tests to spot regressions.
2. I'm fairly sure that this would cost a lot of time and effort in testing, QA, and just recoding.  Would most likely need doing in a new branch.
3. The reason Smarty supports different types of escaping is that output needs to be escaped differently depending on where it's going.  This will mean in places we'll end up unescaping and re-escaping appropriately.  It's a similar problem to turning on magic quotes.

So, given that I think we've closed off the WH vectors (bar one), the right way to proceed is:
- Start writing tests (needs doing anyway)
- Sometime, when we have time - which won't be this quarter, we are already behind - make a branch and experiment with making a global change to see how much stuff breaks.
(Assignee)

Comment 7

10 years ago
In r21982 / r21984
Status: REOPENED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED
Created attachment 360557 [details]
Screenshot

Is this fixed, per the screenshot?
Can't tell from screenshot but view source says yes (please confirm).
(In reply to comment #9)
> Can't tell from screenshot but view source says yes (please confirm).

Sorry, yeah; now I remember:

staging: <input type="hidden" name="pollId" value="&quot;whscheck=&quot;whscheck()"/>

prod: <input type="hidden" name="pollId" value=""whscheck="whscheck()"/>

Verified FIXED.
Status: RESOLVED → VERIFIED
Whiteboard: tiki_triage

Updated

9 years ago
Whiteboard: tiki_triage → tiki_test
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.