Closed Bug 598702 Opened 14 years ago Closed 13 years ago

Escaping Needed to Prevent Stored XSS via Django's CSRF Token

Categories

(addons.mozilla.org Graveyard :: Add-on Builder, defect)

Product:
addons.mozilla.org Graveyard
Component:
Add-on Builder
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcoates, Assigned: zalun)

References

Details

(Keywords: wsec-xss, Whiteboard: [infrasec:xss]) 

This issue has been addressed in many Mozilla sites. A patch is already available at mozilla and a patch has been issued by django (see link below)

Issue

Django's CSRF defense contains a flaw which allows cross site scripting attacks via the CSRF cookie.  This issue is being tracked by django here: http://code.djangoproject.com/ticket/14032. 

This attack could be launched from a subdomain or from a man in the middle attack via cookie forcing. This would allow an attacker to inject a stored XSS attack within the victim's browser. The XSS would fire anytime the victim visits a form using DJANGO's csrf controls within a valid domain for the infected cookie. 


Recommended Resolution

This is a publicly disclosed XSS vulnerability and will need to be resolved on our end as soon as possible. The recommended solution is to modify all uses of django's CSRF defense and remove the "safe" flag. This will ensure that DJANGO safely displays the CSRF token within the HTTP response.  

Note: The attacker does not need access to the django components in order to launch this attack. Once the victim's cookie is infected the attack will launch whenever the victim access the page. Therefore, restricted pages, such as those protected by LDAP auth, or equally vulnerable to attack.
Whiteboard: [infrasec:xss]
Target Milestone: -- → 1.0
This looks like it's fixed in Django itself
(In reply to comment #1)
> This looks like it's fixed in Django itself

Flightdeck isn't running off Django trunk - you're saying this is fixed in our version?  mcoates, can you retest?
Target Milestone: 1.0 → 0.6
Assignee: nobody → zaloon
safe_csrf_token created and used on login page.
Do you think it would be enough to repeat this for every template using csrf?

https://github.com/mozilla/FlightDeck/commit/95466af1b5b67a2fe7c039f718e0174d1a11b441
Status: NEW → ASSIGNED
If you can just override csrf_token there won't be mistakes when people don't know about the new version, and when django is upgraded, it will continue to work for free
I know - but it's a defaulttag - is it simple to do?
I assume if you load it further down the line than django's helpers it will work fine, but I don't know.  I haven't done much with the built-in templating.
This is done using safe_scrf tag - we don't use any automated templates - safe
Wil, if you agree - please close the bug
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Just tested this, its still vulnerable. Has the fix been pushed?

Steps to reproduce:
Update cookie to following value:
  Cookie: csrftoken="d93f275d7'><script>alert(1)</script>";
Browse to 
  https://builder.mozillalabs.com/user/signin/
See alert popup box
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
builder.mozillalabs.com is still using old version of the site
please check on staging server https://builder-addons.allizom.org or trunk server http://flightdeck.zalewa.info
Group: webtools-security
Component: FlightDeck → Add-on Builder
Product: Mozilla Labs → addons.mozilla.org
Target Milestone: 0.6 → ---
QA Contact: flightdeck → add-on-builder
I'm going to assume that this bug is no longer valid, and close it.

If I misjudged this, please reopen the bug. :)
Status: REOPENED → RESOLVED
Closed: 14 years ago13 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.