606712 - Update User Profile bio_ name field does not properly handle quote character

Reporter

Description

•

14 years ago

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100920 Fedora/3.6.10-1.fc13 Firefox/3.6.10
Build Identifier: Whatever https://addons.mozilla.org is running.

The bio_ name field is not filtered. By editing their post request, an attacker can insert (8 characters of) arbitrary html into their bio edit page. This html is not publicly viewable, but since the AMO login function doesn't require a security token an attacker could force a user to log into the attacker's account. Due to the 8 character limit I was not able to make a proof of concept that executed javascript but I believe it is exploitable in internet explorer, and it may be exploitable in firefox by someone more proficient. 

Reproducible: Always

Steps to Reproduce:
1. Go to https://addons.mozilla.org/en-US/firefox/users/edit#user-profile
2. Run an intercepting proxy (webscarab, tamperdata, etc)
3. Add a description in a new language
4. Hit 'save changes' and intercept the POST request
5. Find Content-Disposition: form-data; name="bio_bg"
 and change it to 
Content-Disposition: form-data; name="bio_a"asd
"
Actual Results:  
Observe that the " is unfiltered in the resulting page, breaking some of the javascript.

Expected Results:  
Encoded the " into %22 (Or ignored the entire field since it isn't a valid language)

This is the source of the affected area of my profile, after numerous attempts at making a proof of concept. It may be exploitable in IE using ` since it isn't filtered by the textarea field.

<div class="transbox"><textarea name="bio_a" data-locale="a"  rows="10" cols="40" id="trans_bio_a">&lt;!--w&#34; data-locale=&#34;a&#34;&lt;!--w&#34;  rows=&#34;10&#34; cols=&#34;40&#34; id=&#34;trans_bio_a&amp;quot;&amp;lt;!--w&#34;&gt;awtf</textarea></div>
      <div class="transbox"><textarea name="bio_a"<!--w" data-locale="a"<!--w"  rows="10" cols="40" id="trans_bio_a&quot;&lt;!--w">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_aaaaaaaaaa" data-locale="aaaaaaaaaa"  rows="10" cols="40" id="trans_bio_aaaaaaaaaa">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_bg" data-locale="bg"  rows="10" cols="40" id="trans_bio_bg">&lt;a href=&#39;http://google.&#34;com&#39; asd=&#39;y&#39; title=&#39;1oogle&#39;&gt;aa&lt;/a&gt;&lt;b&gt;moo&lt;/b&gt;aaa</textarea></div>

      <div class="transbox"><textarea name="bio_c"asd" data-locale="c"asd"  rows="10" cols="40" id="trans_bio_c&quot;asd">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_en-us" data-locale="en-us"  rows="10" cols="40" id="trans_bio_en-us">&lt;a href=&#39;http://google.com\&#39; asd=&#39;y&#39; title=&#39;2oogle&#39;&gt;aa&lt;/a&gt;&lt;b&gt;moo&lt;/b&gt;aaa</textarea></div>
      <div class="transbox"><textarea name="bio_g�98765432" data-locale="g�98765432"  rows="10" cols="40" id="trans_bio_g�98765432">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_g'" data-locale="g'"  rows="10" cols="40" id="trans_bio_g&#39;">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_g'"g='" data-locale="g'"g='"  rows="10" cols="40" id="trans_bio_g&#39;&quot;g=&#39;">a</textarea></div>
      <div class="transbox"><textarea name="bio_g'%00\x001" data-locale="g'%00\x001"  rows="10" cols="40" id="trans_bio_g&#39;%00\x001">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_g�98765432" data-locale="g�98765432"  rows="10" cols="40" id="trans_bio_g�98765432">awtf</textarea></div>

      <div class="transbox"><textarea name="bio_h'onblur='" data-locale="h'onblur='"  rows="10" cols="40" id="trans_bio_h&#39;onblur=&#39;">*/alert(document.cookie)/*</textarea></div>
      <div class="transbox"><textarea name="bio_i" data-locale="i"  rows="10" cols="40" id="trans_bio_i">a</textarea></div>
      <div class="transbox"><textarea name="bio_i"/*" data-locale="i"/*"  rows="10" cols="40" id="trans_bio_i&quot;/*">a</textarea></div>
      <div class="transbox"><textarea name="bio_z" data-locale="z"  rows="10" cols="40" id="trans_bio_z">awtf</textarea></div>
      <div class="transbox"><textarea name="bio_z"z='" data-locale="z"z='"  rows="10" cols="40" id="trans_bio_z&quot;z=&#39;">awtf</textarea></div>

Michael Coates [:mcoates] (acct no longer active)

Comment 1

•

14 years ago

Thank you for reporting this issue.

I was able to reproduce this. One clarification to the procedures listed above, it seems the injected " must be on the same line as the Content-Disposition text.  In my testing placing the " on the next line did not work.

I'll continue to investigate the issue.

Michael Coates [:mcoates] (acct no longer active)

Comment 2

•

14 years ago

Here is the specific snippet of resulting html. As indicated in the original comments, only 8 characters can be injected and the final character must be ". 

The injected content is 1234567"

<div class="transbox"><textarea name="bio_bg"1234567" data-locale="bg"1234567"  rows="10" cols="40" id="trans_bio_bg&quot;1234567">test1</textarea></div>

Michael Coates [:mcoates] (acct no longer active)

Comment 3

•

14 years ago

It does not appear that this is an exploitable XSS issue due to the size constraints of the injected text. 

However, the issue should still be fixed. Updating title.


Recommended Remediation:
Utilize output encoding to safely display any user controlled profile data. In addition, review the method of reading in name values. There is no reason for the name value to be modified by any user data.

Summary: Persistent XSS vulnerability in the bio_ name field. → Update User Profile bio_ name field does not properly handle quote character

Michael Coates [:mcoates] (acct no longer active)

Updated

•

14 years ago

Status: UNCONFIRMED → NEW

Ever confirmed: true

Wil Clouser [:clouserw]

Updated

•

14 years ago

Assignee: nobody → jbalogh

Target Milestone: --- → 5.12.2

Jeff Balogh (:jbalogh)

Assignee

Comment 4

•

14 years ago

http://github.com/jbalogh/zamboni/commit/8e451cb

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Stephen Donner [:stephend] Not actively reading bugmail

Comment 5

•

14 years ago

albino: mind double-checking the fix on staging, again?  The staging URL is https://preview.addons.mozilla.org/en-US/firefox/; thanks!

Stephen Donner [:stephend] Not actively reading bugmail

Comment 6

•

14 years ago

I've been trying to reproduce the bug on prod, and haven't been able to; Michael, would you mind taking a look at staging?

Michael Coates [:mcoates] (acct no longer active)

Comment 7

•

14 years ago

Tested. Looks good.

Michael Coates [:mcoates] (acct no longer active)

Updated

•

14 years ago

Status: RESOLVED → VERIFIED

Nobody; OK to take it and work on it

Updated

•

8 years ago

Product: addons.mozilla.org → addons.mozilla.org Graveyard

April King [:April]

Updated

•

4 years ago

Group: client-services-security

Bugzilla

Quick Search

Update User Profile bio_ name field does not properly handle quote character

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Tracking

(Not tracked)

People

(Reporter: albinowax, Assigned: jbalogh)

References

(
URL
)

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Comment 3

Updated

Updated

Comment 4

Comment 5

Comment 6

Comment 7

Updated

Updated

Updated