Note: This is not a dup of bug 559172, though the page name is similar Issue A reflected cross site scripting vulnerability is present within https://mobile.support.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc. Data accepted from the user via URL parameters are returned within the HTML response without appropriate HTML encoding. Note: Tiki-wiki using blacklist filtering to make XSS attacks difficult; however, this filtering should not be relied upon to prevent all XSS variations. The root cause identified in this bug needs to be fixed. Recommended Remediation The primary recommendation is to perform HTML entity encoding on any user supplied data that is returned within the HTML response. In this case, the data obtained from the "galleryId" URL parameter. In addition, perform input validation against the file_find field to limit the types of characters which are accepted by the application. Utilize a positive approach where acceptable character types are defined. If data does not match this "positive" filter then the entire data string is rejected. Proof of Concept 1. Login with a valid account 2. Follow the url below https://mobile.support.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc 3. View the source of the page and observe that the user supplied data has broken out of the href attribute. e.g. <a class="pagetitle" href="/tiki-file_galleries.php?galleryId="whscheck="whscheck">File Galleries</a> An attacker can refine the input to inject a XSS attack.
Assignee: nobody → paulc
Target Milestone: --- → 1.5.4
Created attachment 438915 [details] [diff] [review] escape in affected templates It's happy-escape-day today!
Attachment #438915 - Flags: review?(james)
Comment on attachment 438915 [details] [diff] [review] escape in affected templates WFM. Thanks for the iterations!
Attachment #438915 - Flags: review?(james) → review+
r65794 (fennec branch)
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Thanks! Marking for retest in Sentinel.
Loading https://mobile-support-stage.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc while logged in, and grepping the source, I see: <input type="hidden" name="galleryId" value=""whscheck="whscheck" />
(In reply to comment #4) > Thanks! Marking for retest in Sentinel. This change has only been pushed to our staging server. See my comments in bug 556544.
Reopening bug. Will close when fix is confirmed in production.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We don't push to production until it's VERIFIED.
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago → 9 years ago
Resolution: --- → FIXED
Verified FIXED; see comment 5.
Status: RESOLVED → VERIFIED
Whiteboard: [WH-3745740] → [WH-3745740] [infrasec:xss]
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
These bugs are all resolved, so I'm removing the security flag from them.
You need to log in before you can comment on or make changes to this bug.