Closed Bug 516631 Opened 11 years ago Closed 10 years ago

XSS in page parameter in tiki-editpage.php

Categories

(support.mozilla.org :: Knowledge Base Software, task, critical)

task
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: justdave, Assigned: jsocol)

References

()

Details

(Keywords: wsec-xss, Whiteboard: [WH-1628181] [tiki_test] [infrasec:xss])

Attachments

(1 file)

The following URL embeds the payload string into the value attribute of the "page" text entry box in the page.

http://support.mozilla.com/tiki-editpage.php?locale=en-US&page="whscheck="whscheck&source_page=How+to+set+the+home+page&oldver=27&newver=34&diff_style=inlinediff-full

If you use the latter, look for "whscheck="whscheck (with the quote) in the source of the returned page (it occurs once, unescaped, inside a form parameter)

Note that I'm unable to reproduce this using Firefox, Firefox apparently screws with the URL to prevent you from actually sending this.  If I use openssl s_client to connect to the server and send it manually, I can reproduce it. (Note that you'll need to snag your SUMO cookies out of LiveHTTPHeaders or so-forth to send along with your request in s_client).
Whiteboard: WH-1628181
Blocks: 460069
Severity: blocker → critical
Component: General → Knowledge Base Software
QA Contact: general → kb-software
morgamic, can we get somebody assigned to this bug to fix this? This security bug has been sitting around for over two weeks with no update.
Assignee: nobody → james
Target Milestone: --- → 1.4.1
This section is in a dynamic content block (ie: stored in the database). I've changed it on both stage and production to escape this variable. The template already has the |escape modifier but is not used.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Verified FIXED; see screenshot in comment 3 for the details.
Status: RESOLVED → VERIFIED
Whiteboard: WH-1628181 → WH-1628181 tiki_triage
Whiteboard: WH-1628181 tiki_triage → WH-1628181 tiki_test
Whiteboard: WH-1628181 tiki_test → [WH-1628181] [tiki_test] [infrasec:xss]
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.