Closed
Bug 606523
Opened 14 years ago
Closed 14 years ago
Yahoo YUI component XSS Vulnerability in .swf files
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
References
Details
(Keywords: meta, wsec-xss, Whiteboard: [infrasec:xss])
Attachments
(4 files)
Note: This vulnerability has not been publicly released by Yahoo. Treat this as confidential and do not discuss this issue in any other channels prior to Yahoo's release of 2.8.2 (expected on Monday 10/25/2010) This will serve as a tracker bug for resolving all Mozilla web sites that are vulnerable to the YUI XSS vulnerability. --Details-- Vulnerable Software: YUI 2.4.0 - 2.8.1 Vulnerable Files: YUI 2 .swf files /build/charts/assets/charts.swf /build/uploader/assets/uploader.swf /build/swfstore/swfstore.swf A listing of vulnerable files, by version, is listed at the end of this bug along with the MD5 sum of the vulnerable file. Remediation: A patch is available for each YUI version. I will upload these patches to the individual bugs based on the running version of YUI. Specific Vulnerable Files yui 2.4.0 File: /build/charts/assets/charts.swf MD5: 329254385eaa6d9c24da093d70680dd9 yui 2.4.1 File: /build/charts/assets/charts.swf MD5: 57bec7baafc946b62eab55bd97857653 yui 2.5.0 File: /build/charts/assets/charts.swf MD5: 7571ff3667b3b1a39d1f93faccf5a9cc File: /build/uploader/assets/uploader.swf MD5: 90a9b50f35961f45b705966736466485 yui 2.5.1 File: /build/charts/assets/charts.swf MD5: 7571ff3667b3b1a39d1f93faccf5a9cc File: /build/uploader/assets/uploader.swf MD5: 85c7520f4580aaf5bdba1d428121099d yui 2.5.2 File: /build/charts/assets/charts.swf MD5: 8a3a3c628eb8c2b2829ccce65ba33075 File: /build/uploader/assets/uploader.swf MD5: 85c7520f4580aaf5bdba1d428121099d yui 2.6.0 File: /build/charts/assets/charts.swf MD5: 33eb7bfcf62d02e7d79ffbaaceb9a603 File: /build/uploader/assets/uploader.swf MD5: bf36d6b72f172e758986292ffe6ccecf yui 2.7.0 File: /build/charts/assets/charts.swf MD5: 8890bf87a83994c857ae3fa4eea97de2 File: /build/uploader/assets/uploader.swf MD5: 02e3dab263ab0ed0d2a30bba9e091d96 yui 2.8.0 File: /build/charts/assets/charts.swf MD5: 59c6e2c9ae7de87f11dd3db3336de8b6 File: /build/uploader/assets/uploader.swf MD5: 52f36a13ac4ee2743531de3e29c0b55c File: /build/swfstore/swfstore.swf MD5: f619420748b08a2d453c049ef190e2f3 yui 2.8.1 PR1 File: /build/charts/assets/charts.swf MD5: 59c6e2c9ae7de87f11dd3db3336de8b6 File: /build/uploader/assets/uploader.swf MD5: eeb5aa24c17afae286845bedb142da28 File: /build/swfstore/swfstore.swf MD5: f619420748b08a2d453c049ef190e2f3 yui 2.8.1 File: /build/charts/assets/charts.swf MD5: 59c6e2c9ae7de87f11dd3db3336de8b6 File: /build/uploader/assets/uploader.swf MD5: eeb5aa24c17afae286845bedb142da28 File: /build/swfstore/swfstore.swf MD5: f619420748b08a2d453c049ef190e2f3
Reporter | ||
Comment 1•14 years ago
|
||
Note: "If your site loads YUI 2 from Yahoo's CDN (yui.yahooapis.com) or from Google's CDN (ajax.googleapis.com), and the files are not hosted on your own domain, you are not affected."
Reporter | ||
Comment 2•14 years ago
|
||
All, working with justdave to fix bmo. Any other instances of YUI on our websites anywhere?
Updated•14 years ago
|
Alias: [meta]
Component: www.mozilla.org → Other
Keywords: meta
QA Contact: www-mozilla-org → other
Summary: Yahoo YUI component XSS Vulnerability in .swf files - Tracker → Yahoo YUI component XSS Vulnerability in .swf files
Whiteboard: [infrasec:xss]
Comment 3•14 years ago
|
||
(In reply to comment #2) > Any other instances of YUI on our websites anywhere? mozilla.com used to have YUI. Not sure if it still does. Might be others, too.
Reporter | ||
Comment 4•14 years ago
|
||
11:24 <morgamic> i ran a grep on mozilla.com 11:24 <morgamic> no results
Comment 5•14 years ago
|
||
mozilla.com does use YUI 2.3.0 and 2.7.0: http://viewvc.svn.mozilla.org/vc/projects/mozilla.com/tags/production/js/yui/ I do not have all mozilla repos to grep them, but I know of these sites with YUI: mozilla.com mozillamessaging.com mozilla-europe.org mozillaonline.com We currently use 2.7.0 but used 2.5.1 and 2.3.0 in the past for those sites YUI is a library we often use for sites in collaboration with Silverorange so they may know better which sites they built for us that used YUI, is it ok to CC Stephen Garrity from Silverorange on this bug to ask him if he knows of other sites we built with it? Also, for some of the sites, we have branches with a staging site (like the nova branch for Firefox 4 redesign) that should be fixed as well.
Reporter | ||
Comment 6•14 years ago
|
||
> is it ok to
> CC Stephen Garrity from Silverorange on this bug to ask him if he knows of
Lets wait until after the public release to copy in any other companies. For now we will patch what we know we have and then follow up again on Monday.
Comment 7•14 years ago
|
||
Michael, can you upload to this bug the patches for 2.3.0, 2.5.1 and 2.7.0 versions ? I should be able to fix all of the above sites now (except mozillamessaging where I don't have commit rights on their stage/production tags)
Reporter | ||
Comment 8•14 years ago
|
||
Reporter | ||
Comment 9•14 years ago
|
||
Reporter | ||
Comment 10•14 years ago
|
||
Reporter | ||
Comment 11•14 years ago
|
||
Reporter | ||
Comment 12•14 years ago
|
||
Files updated. 2.3.0 is actually too old to be vulnerable..
Comment 13•14 years ago
|
||
mozilla-europe.org updated (trunk and prod) mozilla.com updated (trunk, stage and prod) mozillamessaging.com updated on trunk
Comment 14•14 years ago
|
||
CCing Sancus for Mozillamessaging, he will take care of pushing to production
Comment 15•14 years ago
|
||
I patched mozillaonline.com/branches/firefox3 (probably unused today), trunk and production only have a subset of YUI 2.51 without the flash files
Comment 16•14 years ago
|
||
(In reply to comment #4) > 11:24 <morgamic> i ran a grep on mozilla.com > 11:24 <morgamic> no results [morgamic@khan mozilla.com]$ find . | grep swfstore.swf [morgamic@khan mozilla.com]$ I was under the impression that swfstore.swf was the file to look for, but may have been mistaken.
Comment 17•14 years ago
|
||
Yeah... that was because those were the bz files identified. My bad.
Comment 18•14 years ago
|
||
mozilla.com 'nova' branch patched
Comment 19•14 years ago
|
||
for the record, here is the list of my commits: r76143 projects/mozilla.com/branches/nova/ r76132 projects/mozillaonline.com/branches/firefox3/ r76129 mozillamessaging.com/sites/mozillamessaging.com/trunk/ r76128 projects/mozilla.com/tags/production/ r76126 projects/mozilla.com/tags/stage/ r76125 projects/mozilla.com/trunk/ r76123 projects/mozilla-europe.org/tags/production/ r76120 projects/mozilla-europe.org/trunk/
Comment 20•14 years ago
|
||
r76138 was mozillamessaging.com production update, also
Comment 21•14 years ago
|
||
Michael, does this issue (the global YUI .swf XSS issue, not Mozilla-specific) have a CVE assigned yet? If not, I can get one.
Reporter | ||
Comment 22•14 years ago
|
||
Reed, I'm not sure if a CVE exists yet, but I think its best to let Yahoo take the lead on that for now. They decided to give us a heads up on the issue so we could patch prior to this issue being released publicly. They'll be releasing this publicly with version 2.8.2 (expected on Monday). After that we can talk with them more about the CVE (if its not mentioned).
Comment 23•14 years ago
|
||
You generally want a CVE assigned *before* you release so people can easily track it. This is why I'm curious if Yahoo! has one already or if they need one.
Comment 24•14 years ago
|
||
Yahoo's too big to not be able to get their own I suspect :) They probably just forgot to tell us what it was when they sent the heads-up. bugzilla.mozilla.org is updated: http://bzr.mozilla.org/bmo/3.6/revision/7205 It's deploying to production now, might be 5 or 10 minutes before it shows up.
Reporter | ||
Comment 25•14 years ago
|
||
Blocking issues addressed. Closing this meta bug.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Group: websites-security
Status: RESOLVED → VERIFIED
Comment 26•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•