Closed Bug 559214 (WH-3745740) Opened 15 years ago Closed 15 years ago

Reflected XSS on tiki-file_galleries.php due to lack of Output Encoding

Categories

(support.mozilla.org :: Mobile, task)

Product:
support.mozilla.org
Component:
Mobile
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Assigned: paulc)

References

(
URL
)

Details

(Keywords: wsec-xss, Whiteboard: [WH-3745740] [infrasec:xss])

Attachments

(1 file)

escape in affected templates
20.36 KB, patch
jsocol
: review+
Details | Diff | Splinter Review
Note: This is not a dup of bug 559172, though the page name is similar Issue A reflected cross site scripting vulnerability is present within https://mobile.support.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc. Data accepted from the user via URL parameters are returned within the HTML response without appropriate HTML encoding. Note: Tiki-wiki using blacklist filtering to make XSS attacks difficult; however, this filtering should not be relied upon to prevent all XSS variations. The root cause identified in this bug needs to be fixed. Recommended Remediation The primary recommendation is to perform HTML entity encoding on any user supplied data that is returned within the HTML response. In this case, the data obtained from the "galleryId" URL parameter. In addition, perform input validation against the file_find field to limit the types of characters which are accepted by the application. Utilize a positive approach where acceptable character types are defined. If data does not match this "positive" filter then the entire data string is rejected. Proof of Concept 1. Login with a valid account 2. Follow the url below https://mobile.support.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc 3. View the source of the page and observe that the user supplied data has broken out of the href attribute. e.g. <a class="pagetitle" href="/tiki-file_galleries.php?galleryId="whscheck="whscheck">File Galleries</a> An attacker can refine the input to inject a XSS attack.
Assignee: nobody → paulc
Target Milestone: --- → 1.5.4
It's happy-escape-day today!
Attachment #438915 - Flags: review?(james)
Comment on attachment 438915 [details] [diff] [review] escape in affected templates WFM. Thanks for the iterations!
Attachment #438915 - Flags: review?(james) → review+
r65794 (fennec branch)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Thanks! Marking for retest in Sentinel.
Loading https://mobile-support-stage.mozilla.com/tiki-file_galleries.php?offset=0&galleryId=%22whscheck%3D%22whscheck&sort_mode=hits_desc while logged in, and grepping the source, I see: <input type="hidden" name="galleryId" value="&quot;whscheck=&quot;whscheck" />
(In reply to comment #4) > Thanks! Marking for retest in Sentinel. This change has only been pushed to our staging server. See my comments in bug 556544.
Reopening bug. Will close when fix is confirmed in production.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We don't push to production until it's VERIFIED.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Verified FIXED; see comment 5.
Status: RESOLVED → VERIFIED
Whiteboard: [WH-3745740] → [WH-3745740] [infrasec:xss]
Alias: WH-3745740
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: