Bug 559214 (WH-3745740)

Reflected XSS on tiki-file_galleries.php due to lack of Output Encoding

VERIFIED FIXED in 1.5.4

Status

--
critical
VERIFIED FIXED
9 years ago
3 years ago

People

(Reporter: mcoates, Assigned: paulc)

Tracking

({wsec-xss})

unspecified
1.5.4
wsec-xss
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [WH-3745740] [infrasec:xss], URL)

Attachments

(1 attachment)

Note: This is not a dup of bug 559172, though the page name is similar

Issue

A reflected cross site scripting vulnerability is present within
https://mobile.support.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc. Data accepted
from the
user via URL parameters are returned within the HTML response without
appropriate HTML encoding. Note: Tiki-wiki using blacklist filtering to make
XSS attacks difficult; however, this filtering should not be relied upon to
prevent all XSS variations. The root cause identified in this bug needs to be
fixed.

Recommended Remediation

The primary recommendation is to perform HTML entity encoding on any user
supplied data that is returned within the HTML response. In this case, the data
obtained from the "galleryId" URL parameter.

In addition, perform input validation against the file_find field to
limit the types of characters which are accepted by the application. Utilize a
positive approach where acceptable character types are defined. If data does
not match this "positive" filter then the entire data string is rejected.


Proof of Concept
1. Login with a valid account
2. Follow the url below

https://mobile.support.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc

3. View the source of the page and observe that the user supplied data has
broken out of the href attribute. 

e.g. <a class="pagetitle" href="/tiki-file_galleries.php?galleryId="whscheck="whscheck">File Galleries</a>


An attacker can refine the input to inject a XSS attack.
Assignee: nobody → paulc
Target Milestone: --- → 1.5.4
(Assignee)

Comment 1

9 years ago
Created attachment 438915 [details] [diff] [review]
escape in affected templates

It's happy-escape-day today!
Attachment #438915 - Flags: review?(james)
Comment on attachment 438915 [details] [diff] [review]
escape in affected templates

WFM. Thanks for the iterations!
Attachment #438915 - Flags: review?(james) → review+
(Assignee)

Comment 3

9 years ago
r65794 (fennec branch)
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Thanks! Marking for retest in Sentinel.
Loading https://mobile-support-stage.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc while logged in, and grepping the source, I see:

<input type="hidden" name="galleryId" value="&quot;whscheck=&quot;whscheck" />
(In reply to comment #4)
> Thanks! Marking for retest in Sentinel.

This change has only been pushed to our staging server. See my comments in bug 556544.
Reopening bug. Will close when fix is confirmed in production.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We don't push to production until it's VERIFIED.
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → FIXED
Verified FIXED; see comment 5.
Status: RESOLVED → VERIFIED
Whiteboard: [WH-3745740] → [WH-3745740] [infrasec:xss]
Alias: WH-3745740
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.