Closed
Bug 500146
Opened 15 years ago
Closed 15 years ago
XSS vuln in 'plugins' parameter on tiki-view_forum.php
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
1.2
People
(Reporter: reed, Assigned: ecooper)
References
()
Details
(Keywords: wsec-xss, Whiteboard: sumo_only)
Attachments
(2 files, 1 obsolete file)
1.96 KB,
patch
|
ecooper
:
review-
laura
:
review+
|
Details | Diff | Splinter Review |
4.02 KB,
patch
|
laura
:
review+
reed
:
review+
|
Details | Diff | Splinter Review |
Reporter | ||
Comment 1•15 years ago
|
||
In forum_advanced_post.php --
$_REQUEST["long_description"] = rtrim(strip_tags($_REQUEST["long_description"]));
$_REQUEST["fx_version"] = strip_tags($_REQUEST["fx_version"]);
$_REQUEST["comments_title"] = strip_tags($_REQUEST["comments_title"]);
$_REQUEST["extensions"] = rtrim(strip_tags($_REQUEST["extensions"]));
$_REQUEST["os"] = strip_tags($_REQUEST["os"]);
$_REQUEST["plugins"] = strip_tags($_REQUEST["plugins"]);
$_REQUEST["comments_data"] = $_REQUEST["long_description"];
$_REQUEST["comments_data"] .= '';
if ($_REQUEST["extensions"]) {
$_REQUEST["comments_data"] .= "\n\n" . "!! " . tra('Extensions installed: ');
$_REQUEST["comments_data"] .= "\n\n";
$_REQUEST["comments_data"] .= $_REQUEST["extensions"];
}
if ($_REQUEST["plugins"]) {
$_REQUEST["comments_data"] .= "\n\n" . "!! " . tra('Plugins installed: ');
$_REQUEST["comments_data"] .= "\n\n";
$_REQUEST["comments_data"] .= $_REQUEST["plugins"];
}
:/
Reporter | ||
Comment 2•15 years ago
|
||
/me cries
Attachment #384837 -
Flags: review?(smirkingsisyphus)
Attachment #384837 -
Flags: review?(laura)
Reporter | ||
Comment 3•15 years ago
|
||
If this is reviewed and landed today, can it make tomorrow's release?
Status: NEW → ASSIGNED
Target Milestone: --- → 1.2
Updated•15 years ago
|
Attachment #384837 -
Flags: review?(laura) → review+
Comment 4•15 years ago
|
||
Comment on attachment 384837 [details] [diff] [review]
patch - v1 (untested)
Yes, it can make the release. Commit ASAP.
Reporter | ||
Comment 5•15 years ago
|
||
r28394/r28395
ecooper, your review is always welcome for security fixes, too. always helps to have multiple pairs of eyes.
Comment 6•15 years ago
|
||
Please let QA know the best way to verify this, thanks!
Reporter | ||
Comment 7•15 years ago
|
||
<h3 class="showhide_heading" id="_Plugins_installed_"> Plugins installed:</h3>
<p>" style="background:url(javascript:alert('XSS Test Successful');)" OA="
</p>
<hr />
</div>
</div>
<div id="forumpost" style="display:block;">
<form method="post" enctype="multipart/form-data" action="/tiki-view_forum.php?locale=en-US" id="editpageform">
<input type="hidden" name="comments_offset" value="0" />
<input type="hidden" name="comments_threadId" value="0" />
<input type="hidden" name="comments_threshold" value="0" />
<input type="hidden" name="thread_sort_mode" value="lastPost_desc" />
<input type="hidden" name="forumId" value="1" />
<input type="hidden" name="forum_advanced_post" value="y" />
<input type="hidden" name="comment_topictype" value="n" />
<input type="hidden" name="comments_data" value="advanced post in use" />
<input type="hidden" name="plugins" value="" style="background:url(javascript:alert('XSS Test Successful');)" OA="" id="plugins" />
Both of the above things should be encoded instead of raw.
Reporter | ||
Comment 8•15 years ago
|
||
Sigh, I'm over-encoding.
<div class="commenttext">
<h3 class="showhide_heading" id="_Plugins_installed_"> Plugins installed:</h3>
<p>" style="background:url(javascript:alert('XSS Test Successful');)" OA="
</p>
<hr />
</div>
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Updated•15 years ago
|
Keywords: push-needed
Reporter | ||
Comment 9•15 years ago
|
||
How about this instead?
Attachment #384837 -
Attachment is obsolete: true
Attachment #385055 -
Flags: review?(smirkingsisyphus)
Attachment #385055 -
Flags: review?(laura)
Attachment #384837 -
Flags: review?(smirkingsisyphus)
Updated•15 years ago
|
Attachment #385055 -
Flags: review?(laura) → review+
Reporter | ||
Comment 10•15 years ago
|
||
r28453/r28454
Seems ok... ready for QA.
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Keywords: push-needed
Resolution: --- → FIXED
Assignee | ||
Comment 11•15 years ago
|
||
Comment on attachment 385055 [details] [diff] [review]
patch - v2 (untested)
I know I'm wayyyy to late to be coming in with this, but using htmlspecialchars() on all the inputs in webroot/forum_advanced_post.php will cause the values to be double encoded in the <input> and <textarea> tags when they are rendered by smarty in forum_advanced_post.tpl.
This will only be a problem if the user clicks 'Preivew' or tries to submit without all required fields completed. It won't affect the usual 'type then post' use cases.
Attachment #385055 -
Flags: review?(smirkingsisyphus) → review-
Reporter | ||
Comment 12•15 years ago
|
||
(In reply to comment #11)
> (From update of attachment 385055 [details] [diff] [review])
> I know I'm wayyyy to late to be coming in with this, but using
> htmlspecialchars() on all the inputs in webroot/forum_advanced_post.php will
> cause the values to be double encoded in the <input> and <textarea> tags when
> they are rendered by smarty in forum_advanced_post.tpl.
Indeed. This only affects a few of the variables, though. I'll track down which ones exactly.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We need this fixed so we can verify and tag for 1.2; I'm going to lunch, but either Krupa or myself will verify soon after it's fixed.
Assignee | ||
Comment 14•15 years ago
|
||
This removes the '|escape' from smarty variables already escaped via htmlspecialchars() in webroot/forum_advanced_post.php.
And, as an added bonus, I fixed another XSS vulnerability involving the anon email address being pulled directly from the request.
Attachment #385206 -
Flags: review?(reed)
Attachment #385206 -
Flags: review?(laura)
Updated•15 years ago
|
Attachment #385206 -
Flags: review?(laura) → review+
Assignee | ||
Comment 15•15 years ago
|
||
r28557/r28558
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Verified FIXED as best I can tell on https://support-stage.mozilla.org/tiki-view_forum.php?locale=en-US&comments_offset=0&comments_threadId=0&comments_threshold=0&thread_sort_mode=lastPost_desc&forumId=1&forum_advanced_post=y&comment_topictype=n&comments_data=advanced%20post%20in%20use&plugins=%22%20style%3d%22background%3aurl%28javascript%3aalert%28%27XSS%20Test%20Successful%27%29%3b%29%22%20OA%3d%22&comments_title=123456&fx_version=123456&userfile1=123456&anonymous_name=123456&anonymous_email=123456&comments_postComment=Post&comments_previewComment=Preview&comments_postCancel=Cancel:
<input type="hidden" name="plugins" value="" style="background:ur<x>l(ja<x>vascript:al<x>ert('XSS Test Successful');)" OA="" id="plugins" />
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 17•15 years ago
|
||
Comment on attachment 385206 [details] [diff] [review]
v3
meh, I don't like doing half-and-half, but whatever, this is all horrible code that should be rewritten from scratch.
Attachment #385206 -
Flags: review?(reed) → review+
Reporter | ||
Updated•15 years ago
|
Keywords: push-needed
Reporter | ||
Updated•15 years ago
|
Assignee: reed → smirkingsisyphus
Assignee | ||
Updated•15 years ago
|
Target Milestone: 1.2 → 1.3
Assignee | ||
Updated•15 years ago
|
Target Milestone: 1.3 → 1.2
Updated•15 years ago
|
Whiteboard: sumo_only
Comment 18•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Comment 19•9 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•