Closed Bug 516631 Opened 11 years ago Closed 10 years ago
XSS in page parameter in tiki-editpage
The following URL embeds the payload string into the value attribute of the "page" text entry box in the page. http://support.mozilla.com/tiki-editpage.php?locale=en-US&page="whscheck="whscheck&source_page=How+to+set+the+home+page&oldver=27&newver=34&diff_style=inlinediff-full If you use the latter, look for "whscheck="whscheck (with the quote) in the source of the returned page (it occurs once, unescaped, inside a form parameter) Note that I'm unable to reproduce this using Firefox, Firefox apparently screws with the URL to prevent you from actually sending this. If I use openssl s_client to connect to the server and send it manually, I can reproduce it. (Note that you'll need to snag your SUMO cookies out of LiveHTTPHeaders or so-forth to send along with your request in s_client).
Severity: blocker → critical
Component: General → Knowledge Base Software
QA Contact: general → kb-software
morgamic, can we get somebody assigned to this bug to fix this? This security bug has been sitting around for over two weeks with no update.
Assignee: nobody → james
Target Milestone: --- → 1.4.1
This section is in a dynamic content block (ie: stored in the database). I've changed it on both stage and production to escape this variable. The template already has the |escape modifier but is not used.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Verified FIXED; see screenshot in comment 3 for the details.
Status: RESOLVED → VERIFIED
Whiteboard: WH-1628181 tiki_test → [WH-1628181] [tiki_test] [infrasec:xss]
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
These bugs are all resolved, so I'm removing the security flag from them.
You need to log in before you can comment on or make changes to this bug.