Closed Bug 606523 Opened 14 years ago Closed 14 years ago

Yahoo YUI component XSS Vulnerability in .swf files

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Unassigned)

References

Details

(Keywords: meta, wsec-xss, Whiteboard: [infrasec:xss])

Attachments

(4 files)

2.7.0 update for uploader
6.96 KB, application/zip
Details
2.7.0 update for charts
70.29 KB, application/zip
Details
2.5.1 update for uploader
4.64 KB, application/zip
Details
2.5.1 update for charts
56.33 KB, application/zip
Details 
Note: This vulnerability has not been publicly released by Yahoo. Treat this as confidential and do not discuss this issue in any other channels prior to Yahoo's release of 2.8.2 (expected on Monday 10/25/2010)

This will serve as a tracker bug for resolving all Mozilla web sites that are vulnerable to the YUI XSS vulnerability.

--Details--

Vulnerable Software: YUI 2.4.0 - 2.8.1 
Vulnerable Files:
YUI 2 .swf files

/build/charts/assets/charts.swf 
/build/uploader/assets/uploader.swf
/build/swfstore/swfstore.swf 

A listing of vulnerable files, by version, is listed at the end of this bug along with the MD5 sum of the vulnerable file.


Remediation:
A patch is available for each YUI version. I will upload these patches to the individual bugs based on the running version of YUI.


Specific Vulnerable Files

yui 2.4.0	
File: /build/charts/assets/charts.swf 	
MD5: 329254385eaa6d9c24da093d70680dd9 

yui 2.4.1	
File: /build/charts/assets/charts.swf 	
MD5: 57bec7baafc946b62eab55bd97857653 

yui 2.5.0	
File: /build/charts/assets/charts.swf 	
MD5: 7571ff3667b3b1a39d1f93faccf5a9cc 
File: /build/uploader/assets/uploader.swf 	
MD5: 90a9b50f35961f45b705966736466485 

yui 2.5.1	
File: /build/charts/assets/charts.swf 	
MD5: 7571ff3667b3b1a39d1f93faccf5a9cc 
File: /build/uploader/assets/uploader.swf 	
MD5: 85c7520f4580aaf5bdba1d428121099d 

yui 2.5.2	
File: /build/charts/assets/charts.swf 	
MD5: 8a3a3c628eb8c2b2829ccce65ba33075 
File: /build/uploader/assets/uploader.swf 	
MD5: 85c7520f4580aaf5bdba1d428121099d 

yui 2.6.0	
File: /build/charts/assets/charts.swf 	
MD5: 33eb7bfcf62d02e7d79ffbaaceb9a603 
File: /build/uploader/assets/uploader.swf 	
MD5: bf36d6b72f172e758986292ffe6ccecf 

yui 2.7.0	
File: /build/charts/assets/charts.swf 	
MD5: 8890bf87a83994c857ae3fa4eea97de2 
File: /build/uploader/assets/uploader.swf 	
MD5: 02e3dab263ab0ed0d2a30bba9e091d96 

yui 2.8.0	
File: /build/charts/assets/charts.swf 	
MD5: 59c6e2c9ae7de87f11dd3db3336de8b6 
File: /build/uploader/assets/uploader.swf 	
MD5: 52f36a13ac4ee2743531de3e29c0b55c 
File: /build/swfstore/swfstore.swf 	
MD5: f619420748b08a2d453c049ef190e2f3 

yui 2.8.1 PR1	
File: /build/charts/assets/charts.swf 	
MD5: 59c6e2c9ae7de87f11dd3db3336de8b6 
File: /build/uploader/assets/uploader.swf 	
MD5: eeb5aa24c17afae286845bedb142da28 
File: /build/swfstore/swfstore.swf 	
MD5: f619420748b08a2d453c049ef190e2f3 

yui 2.8.1	
File: /build/charts/assets/charts.swf 	
MD5: 59c6e2c9ae7de87f11dd3db3336de8b6 
File: /build/uploader/assets/uploader.swf 	
MD5: eeb5aa24c17afae286845bedb142da28 
File: /build/swfstore/swfstore.swf 	
MD5: f619420748b08a2d453c049ef190e2f3
Note:

"If your site loads YUI 2 from Yahoo's CDN (yui.yahooapis.com) or from Google's CDN (ajax.googleapis.com), and the files are not hosted on your own domain, you are not affected."
All, working with justdave to fix bmo. Any other instances of YUI on our websites anywhere?
Alias: [meta]
Component: www.mozilla.org → Other
Keywords: meta
QA Contact: www-mozilla-org → other
Summary: Yahoo YUI component XSS Vulnerability in .swf files - Tracker → Yahoo YUI component XSS Vulnerability in .swf files
Whiteboard: [infrasec:xss]
(In reply to comment #2)
> Any other instances of YUI on our websites anywhere?

mozilla.com used to have YUI. Not sure if it still does. Might be others, too.
11:24 <morgamic> i ran a grep on mozilla.com
11:24 <morgamic> no results
mozilla.com does use YUI 2.3.0 and 2.7.0:
http://viewvc.svn.mozilla.org/vc/projects/mozilla.com/tags/production/js/yui/

I do not have all mozilla repos to grep them, but I know of these sites with YUI:
mozilla.com
mozillamessaging.com
mozilla-europe.org
mozillaonline.com

We currently use 2.7.0 but used 2.5.1 and 2.3.0 in the past for those sites


YUI is a library we often use for sites in collaboration with Silverorange so they may know better which sites they built for us that used YUI, is it ok to CC Stephen Garrity from Silverorange on this bug to ask him if he knows of other sites we built with it?

Also, for some of the sites, we have branches with a staging site (like the nova branch for Firefox 4 redesign) that should be fixed as well.
> is it ok to
> CC Stephen Garrity from Silverorange on this bug to ask him if he knows of

Lets wait until after the public release to copy in any other companies. For now we will patch what we know we have and then follow up again on Monday.
Michael, can you upload to this bug the patches for 2.3.0, 2.5.1 and 2.7.0 versions ? I should be able to fix all of the above sites now (except mozillamessaging where I don't have commit rights on their stage/production tags)
Files updated. 2.3.0 is actually too old to be vulnerable..
mozilla-europe.org updated (trunk and prod)
mozilla.com updated (trunk, stage and prod)
mozillamessaging.com updated on trunk
CCing Sancus for Mozillamessaging, he will take care of pushing to production
I patched mozillaonline.com/branches/firefox3 (probably unused today), trunk and production only have a subset of YUI 2.51 without the flash files
(In reply to comment #4)
> 11:24 <morgamic> i ran a grep on mozilla.com
> 11:24 <morgamic> no results

[morgamic@khan mozilla.com]$ find . | grep swfstore.swf
[morgamic@khan mozilla.com]$ 

I was under the impression that swfstore.swf was the file to look for, but may have been mistaken.
Yeah... that was because those were the bz files identified.  My bad.
mozilla.com 'nova' branch patched
for the record, here is the list of my commits:
r76143 	projects/mozilla.com/branches/nova/
r76132 	projects/mozillaonline.com/branches/firefox3/
r76129 	mozillamessaging.com/sites/mozillamessaging.com/trunk/ 
r76128 	projects/mozilla.com/tags/production/
r76126 	projects/mozilla.com/tags/stage/
r76125 	projects/mozilla.com/trunk/
r76123 	projects/mozilla-europe.org/tags/production/
r76120 	projects/mozilla-europe.org/trunk/
r76138 was mozillamessaging.com production update, also
Depends on: 606618
Michael, does this issue (the global YUI .swf XSS issue, not Mozilla-specific) have a CVE assigned yet? If not, I can get one.
Reed, 

I'm not sure if a CVE exists yet, but I think its best to let Yahoo take the lead on that for now. They decided to give us a heads up on the issue so we could patch prior to this issue being released publicly.

They'll be releasing this publicly with version 2.8.2 (expected on Monday). After that we can talk with them more about the CVE (if its not mentioned).
You generally want a CVE assigned *before* you release so people can easily track it. This is why I'm curious if Yahoo! has one already or if they need one.
Yahoo's too big to not be able to get their own I suspect :)  They probably just forgot to tell us what it was when they sent the heads-up.

bugzilla.mozilla.org is updated:
http://bzr.mozilla.org/bmo/3.6/revision/7205

It's deploying to production now, might be 5 or 10 minutes before it shows up.
Blocking issues addressed. Closing this meta bug.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: websites-security
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Depends on: 890623
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: