Closed Bug 500146 Opened 15 years ago Closed 15 years ago

XSS vuln in 'plugins' parameter on tiki-view_forum.php

Categories

(support.mozilla.org :: Knowledge Base Software, task)

task
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: reed, Assigned: ecooper)

References

()

Details

(Keywords: wsec-xss, Whiteboard: sumo_only)

Attachments

(2 files, 1 obsolete file)

In forum_advanced_post.php -- $_REQUEST["long_description"] = rtrim(strip_tags($_REQUEST["long_description"])); $_REQUEST["fx_version"] = strip_tags($_REQUEST["fx_version"]); $_REQUEST["comments_title"] = strip_tags($_REQUEST["comments_title"]); $_REQUEST["extensions"] = rtrim(strip_tags($_REQUEST["extensions"])); $_REQUEST["os"] = strip_tags($_REQUEST["os"]); $_REQUEST["plugins"] = strip_tags($_REQUEST["plugins"]); $_REQUEST["comments_data"] = $_REQUEST["long_description"]; $_REQUEST["comments_data"] .= ''; if ($_REQUEST["extensions"]) { $_REQUEST["comments_data"] .= "\n\n" . "!! " . tra('Extensions installed: '); $_REQUEST["comments_data"] .= "\n\n"; $_REQUEST["comments_data"] .= $_REQUEST["extensions"]; } if ($_REQUEST["plugins"]) { $_REQUEST["comments_data"] .= "\n\n" . "!! " . tra('Plugins installed: '); $_REQUEST["comments_data"] .= "\n\n"; $_REQUEST["comments_data"] .= $_REQUEST["plugins"]; } :/
Attached patch patch - v1 (untested) (obsolete) — Splinter Review
/me cries
Attachment #384837 - Flags: review?(smirkingsisyphus)
Attachment #384837 - Flags: review?(laura)
If this is reviewed and landed today, can it make tomorrow's release?
Status: NEW → ASSIGNED
Target Milestone: --- → 1.2
Attachment #384837 - Flags: review?(laura) → review+
Comment on attachment 384837 [details] [diff] [review] patch - v1 (untested) Yes, it can make the release. Commit ASAP.
r28394/r28395 ecooper, your review is always welcome for security fixes, too. always helps to have multiple pairs of eyes.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: push-needed
Resolution: --- → FIXED
Please let QA know the best way to verify this, thanks!
<h3 class="showhide_heading" id="_Plugins_installed_"> Plugins installed:</h3> <p>" style="background:url(javascript:alert('XSS Test Successful');)" OA=" </p> <hr /> </div> </div> <div id="forumpost" style="display:block;"> <form method="post" enctype="multipart/form-data" action="/tiki-view_forum.php?locale=en-US" id="editpageform"> <input type="hidden" name="comments_offset" value="0" /> <input type="hidden" name="comments_threadId" value="0" /> <input type="hidden" name="comments_threshold" value="0" /> <input type="hidden" name="thread_sort_mode" value="lastPost_desc" /> <input type="hidden" name="forumId" value="1" /> <input type="hidden" name="forum_advanced_post" value="y" /> <input type="hidden" name="comment_topictype" value="n" /> <input type="hidden" name="comments_data" value="advanced post in use" /> <input type="hidden" name="plugins" value="" style="background:url(javascript:alert('XSS Test Successful');)" OA="" id="plugins" /> Both of the above things should be encoded instead of raw.
Sigh, I'm over-encoding. <div class="commenttext"> &lt;h3 class=&quot;showhide_heading&quot; id=&quot;_Plugins_installed_&quot;&gt; Plugins installed:&lt;/h3&gt; &lt;p&gt;&quot; style=&quot;background:url(javascript:alert(&#039;XSS Test Successful&#039;);)&quot; OA=&quot; &lt;/p&gt; <hr /> </div>
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Keywords: push-needed
How about this instead?
Attachment #384837 - Attachment is obsolete: true
Attachment #385055 - Flags: review?(smirkingsisyphus)
Attachment #385055 - Flags: review?(laura)
Attachment #384837 - Flags: review?(smirkingsisyphus)
Attachment #385055 - Flags: review?(laura) → review+
r28453/r28454 Seems ok... ready for QA.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Keywords: push-needed
Resolution: --- → FIXED
Comment on attachment 385055 [details] [diff] [review] patch - v2 (untested) I know I'm wayyyy to late to be coming in with this, but using htmlspecialchars() on all the inputs in webroot/forum_advanced_post.php will cause the values to be double encoded in the <input> and <textarea> tags when they are rendered by smarty in forum_advanced_post.tpl. This will only be a problem if the user clicks 'Preivew' or tries to submit without all required fields completed. It won't affect the usual 'type then post' use cases.
Attachment #385055 - Flags: review?(smirkingsisyphus) → review-
(In reply to comment #11) > (From update of attachment 385055 [details] [diff] [review]) > I know I'm wayyyy to late to be coming in with this, but using > htmlspecialchars() on all the inputs in webroot/forum_advanced_post.php will > cause the values to be double encoded in the <input> and <textarea> tags when > they are rendered by smarty in forum_advanced_post.tpl. Indeed. This only affects a few of the variables, though. I'll track down which ones exactly.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We need this fixed so we can verify and tag for 1.2; I'm going to lunch, but either Krupa or myself will verify soon after it's fixed.
Attached patch v3Splinter Review
This removes the '|escape' from smarty variables already escaped via htmlspecialchars() in webroot/forum_advanced_post.php. And, as an added bonus, I fixed another XSS vulnerability involving the anon email address being pulled directly from the request.
Attachment #385206 - Flags: review?(reed)
Attachment #385206 - Flags: review?(laura)
Attachment #385206 - Flags: review?(laura) → review+
r28557/r28558
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Comment on attachment 385206 [details] [diff] [review] v3 meh, I don't like doing half-and-half, but whatever, this is all horrible code that should be rewritten from scratch.
Attachment #385206 - Flags: review?(reed) → review+
Keywords: push-needed
Assignee: reed → smirkingsisyphus
Target Milestone: 1.2 → 1.3
Target Milestone: 1.3 → 1.2
Whiteboard: sumo_only
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: