Closed
Bug 556544
(WH-3730327)
Opened 14 years ago
Closed 14 years ago
XSS in tiki-browse_categories.php via parentId p win various params
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
1.5.4
People
(Reporter: clyon, Assigned: jsocol)
References
()
Details
(Keywords: wsec-xss)
Attachments
(3 files, 1 obsolete file)
|
1.10 KB,
patch
|
paulc
:
review+
|
Details | Diff | Splinter Review |
|
1.10 KB,
patch
|
paulc
:
review+
|
Details | Diff | Splinter Review |
|
24.75 KB,
patch
|
paulc
:
review+
|
Details | Diff | Splinter Review |
Sentinel has detected an XSS in the parameter "parentId" in parentId tiki-browse_categories.php. sentinel get: https:// mobile.support.mozilla.com/tiki-browse_categories.php? parentId=<whscheck>&watch_event=category_changed& watch_object=11&deep=off&watch_action=add https:// mobile.support.mozilla.com/tiki-browse_categories.php? locale=en-US&find=&deep=off&type=& parentId=<whscheck>&offset=10&sort_mode=name_asc
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → james
Target Milestone: --- → 1.5.4
|
Reporter | |
Comment 1•14 years ago
|
||
(In reply to comment #0) > Sentinel has detected an XSS in the parameter "parentId" in parentId > tiki-browse_categories.php. > > > sentinel get: > > https:// mobile.support.mozilla.com/tiki-browse_categories.php? > parentId=<whscheck>&watch_event=category_changed& > watch_object=11&deep=off&watch_action=add > > https:// mobile.support.mozilla.com/tiki-browse_categories.php? > locale=en-US&find=&deep=off&type=& > parentId=<whscheck>&offset=10&sort_mode=name_asc Do you guys have what you need in order to get this fixed to? This has been sitting since 4/1 without any action.
|
|
Assignee | |
Comment 2•14 years ago
|
||
I do, and am working on a fix now. 1.5.4 should go out next Thursday.
|
|
Assignee | |
Comment 3•14 years ago
|
||
Adds |escape:'url' several dozen places. Some where escaped incorrectly, others were unescaped. Attaching two bits of SQL, again for mobile and desktop, that also contain fixes.
Attachment #438877 -
Flags: review?(paulc)
|
|
Assignee | |
Comment 4•14 years ago
|
||
SQL to update dynamic content to properly escaped content.
Attachment #438878 -
Flags: review?(paulc)
|
||
Comment 6•14 years ago
|
||
Comment on attachment 438877 [details] [diff] [review] patch, urlencodes output >Index: webroot/templates/tiki-browse_categories.tpl >=================================================================== >--- webroot/templates/tiki-browse_categories.tpl (revision 65751) >+++ webroot/templates/tiki-browse_categories.tpl (working copy) >-<a class="categpath" href="tiki-browse_categories.php?parentId={$path[x].categId}&deep={$deep}&type={$type|escape}">{$path[x].name|tr_if}</a> >+<a class="categpath" href="tiki-browse_categories.php?parentId={$path[x].categId|escape:'url'}&deep={$deep|escape:'url'}&type={$type|escape}">{$path[x].name|tr_if}</a> Missed $type right here. Also, |*.categId| is escaped here... >-<a class="categpath" href="tiki-browse_categories.php?parentId={$paths[x][y].categId}&deep={$deep}&type={$type|escape}">{$paths[x][y].name|tr_if}</a> >+<a class="categpath" href="tiki-browse_categories.php?parentId={$paths[x][y].categId}&deep={$deep|escape:'url'}&type={$type|escape}">{$paths[x][y].name|tr_if}</a> ... but not here. >Index: webroot/templates/styles/mozkb/tiki-browse_categories.tpl >=================================================================== >--- webroot/templates/styles/mozkb/tiki-browse_categories.tpl (revision 65751) >+++ webroot/templates/styles/mozkb/tiki-browse_categories.tpl (working copy) >-<a class="neatlink" href="tiki-browse_categories.php?find={$find|escape}&deep={$deep|escape}&type={$type}&parentId={$parentId|escape}&offset={$prev_offset|escape}&sort_mode={$sort_mode|escape}"><<</a> >+<a class="neatlink" href="tiki-browse_categories.php?find={$find|escape:'url'}&deep={$deep|escape}&type={$type|escape:'url'}&parentId={$parentId|escape:'url'}&offset={$prev_offset|escape:'url'}&sort_mode={$sort_mode|escape:'url'}"><<</a> Need escape:'url' on $deep here, this happens at least on lines 198, 223, 229. > <div class="oneresultfreetags"> >-<a href="{$objects[ix].href}" class="searchresultlink">{$objects[ix].name}</a> >+<a href="{$objects[ix].href}" class="searchresultlink">{$objects[ix].name|escape}</a> Looks the href should be escape:'url' here as well?
Attachment #438877 -
Flags: review?(paulc) → review-
|
|
||
Updated•14 years ago
|
Attachment #438878 -
Flags: review?(paulc) → review+
|
|
||
Comment 7•14 years ago
|
||
Comment on attachment 438878 [details] [diff] [review] SQL to fix dynamic content on desktop SQL looks good, tested on both.
|
|
||
Updated•14 years ago
|
Attachment #438879 -
Flags: review?(paulc) → review+
|
|
Assignee | |
Comment 8•14 years ago
|
||
The {$objects[ix].href} are paths. URL-encoding will break them.
This fixes all the other spots I missed (I hope).
Attachment #438877 -
Attachment is obsolete: true
Attachment #438906 -
Flags: review?(paulc)
|
|
||
Comment 9•14 years ago
|
||
Comment on attachment 438906 [details] [diff] [review] fixes missed variables Looks good. Didn't see anything this time. ZOMG!
Attachment #438906 -
Flags: review?(paulc) → review+
|
|
Assignee | |
Comment 10•14 years ago
|
||
r65786 on the Fennec branch. Filed bug 559239 to run the SQL patches.
|
|
Assignee | |
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 11•14 years ago
|
||
Thanks. Marked for retest in sentinel.
Loading https://mobile-support-stage.mozilla.com/%E2%80%8Btiki-browse_categories.php?%E2%80%8BparentId=%3Cwhscheck%3E&%E2%80%8Bwatch_event=category_changed&%E2%80%8Bwatch_object=11&%E2%80%8Bdeep=off&%E2%80%8Bwatch_action=add gives me a 404; is that intended? Ditto for https://mobile-support-stage.mozilla.com/%E2%80%8Btiki-browse_categories.php?%E2%80%8Blocale=en-US&%E2%80%8Bfind=&%E2%80%8Bdeep=off&%E2%80%8Btype=&%E2%80%8BparentId=%3Cwhscheck%3E&%E2%80%8Boffset=10&%E2%80%8Bsort_mode=name_asc.
|
|
Assignee | |
Comment 13•14 years ago
|
||
(In reply to comment #11) > Thanks. Marked for retest in sentinel. This will only update to stage automatically. Sentinel only tests the production sites. As this is an undisclosed vulnerability, can we way to push the fix to production until our planned release date (the 22nd)?
|
|
Assignee | |
Comment 14•14 years ago
|
||
Stephen: remove the "%E2%80%8B" strings from the URLs.
|
|
||
Comment 15•14 years ago
|
||
We'd really prefer the fix to be pushed live as soon as possible. Its great that we found these 3 issues before anyone outside did. Let's close off the gap and get this pushed live. Also, I'd like to reopen this bug and only mark it resolved when the XSS is confirmed fixed in the production version. That way it doesn't slip off the radar.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 16•14 years ago
|
||
We close bugs when they're fixed on staging, and we don't push changes to production until QA marks a bug as VERIFIED--which they can't do if it's open. Once QA verifies all three bugs, I'll file an IT request to push the mobile changes immediately.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 17•14 years ago
|
||
Sounds good. Sorry for propagating my mistake across all the XSS bugs. We'll keep our eye out and retest the issue after we see the issue has been pushed to prod. Thanks!
Ok, I think this looks good on https://mobile-support-stage.mozilla.com/tiki-browse_categories.php?parentId=%3Cwhscheck%3E&watch_event=category_changed&watch_object=11&deep=off&watch_action=add. Verified FIXED.
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Updated•14 years ago
|
Group: websites-security
|
||
Comment 19•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in
before you can comment on or make changes to this bug.
Description
•