Closed
Bug 598702
Opened 14 years ago
Closed 13 years ago
Escaping Needed to Prevent Stored XSS via Django's CSRF Token
Categories
(addons.mozilla.org Graveyard :: Add-on Builder, defect)
addons.mozilla.org Graveyard
Add-on Builder
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mcoates, Assigned: zalun)
References
Details
(Keywords: wsec-xss, Whiteboard: [infrasec:xss])
This issue has been addressed in many Mozilla sites. A patch is already available at mozilla and a patch has been issued by django (see link below) Issue Django's CSRF defense contains a flaw which allows cross site scripting attacks via the CSRF cookie. This issue is being tracked by django here: http://code.djangoproject.com/ticket/14032. This attack could be launched from a subdomain or from a man in the middle attack via cookie forcing. This would allow an attacker to inject a stored XSS attack within the victim's browser. The XSS would fire anytime the victim visits a form using DJANGO's csrf controls within a valid domain for the infected cookie. Recommended Resolution This is a publicly disclosed XSS vulnerability and will need to be resolved on our end as soon as possible. The recommended solution is to modify all uses of django's CSRF defense and remove the "safe" flag. This will ensure that DJANGO safely displays the CSRF token within the HTTP response. Note: The attacker does not need access to the django components in order to launch this attack. Once the victim's cookie is infected the attack will launch whenever the victim access the page. Therefore, restricted pages, such as those protected by LDAP auth, or equally vulnerable to attack.
Reporter | ||
Updated•14 years ago
|
Whiteboard: [infrasec:xss]
Updated•14 years ago
|
Target Milestone: -- → 1.0
Assignee | ||
Comment 1•14 years ago
|
||
This looks like it's fixed in Django itself
Comment 2•14 years ago
|
||
(In reply to comment #1) > This looks like it's fixed in Django itself Flightdeck isn't running off Django trunk - you're saying this is fixed in our version? mcoates, can you retest?
Updated•14 years ago
|
Target Milestone: 1.0 → 0.6
Updated•14 years ago
|
Assignee: nobody → zaloon
Assignee | ||
Comment 3•14 years ago
|
||
safe_csrf_token created and used on login page. Do you think it would be enough to repeat this for every template using csrf? https://github.com/mozilla/FlightDeck/commit/95466af1b5b67a2fe7c039f718e0174d1a11b441
Status: NEW → ASSIGNED
Comment 4•14 years ago
|
||
If you can just override csrf_token there won't be mistakes when people don't know about the new version, and when django is upgraded, it will continue to work for free
Assignee | ||
Comment 5•14 years ago
|
||
I know - but it's a defaulttag - is it simple to do?
Comment 6•14 years ago
|
||
I assume if you load it further down the line than django's helpers it will work fine, but I don't know. I haven't done much with the built-in templating.
Assignee | ||
Comment 7•14 years ago
|
||
This is done using safe_scrf tag - we don't use any automated templates - safe Wil, if you agree - please close the bug
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•14 years ago
|
||
Just tested this, its still vulnerable. Has the fix been pushed? Steps to reproduce: Update cookie to following value: Cookie: csrftoken="d93f275d7'><script>alert(1)</script>"; Browse to https://builder.mozillalabs.com/user/signin/ See alert popup box
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 9•14 years ago
|
||
builder.mozillalabs.com is still using old version of the site please check on staging server https://builder-addons.allizom.org or trunk server http://flightdeck.zalewa.info
Updated•14 years ago
|
Group: webtools-security
Component: FlightDeck → Add-on Builder
Product: Mozilla Labs → addons.mozilla.org
Target Milestone: 0.6 → ---
Updated•14 years ago
|
QA Contact: flightdeck → add-on-builder
I'm going to assume that this bug is no longer valid, and close it. If I misjudged this, please reopen the bug. :)
Status: REOPENED → RESOLVED
Closed: 14 years ago → 13 years ago
Resolution: --- → FIXED
Comment 11•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•10 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•