Closed Bug 612968 Opened 14 years ago Closed 14 years ago

Topic field executes XSS

Categories

(support.mozilla.org :: Knowledge Base Software, task, P2)

Product:
support.mozilla.org
Component:
Knowledge Base Software
Platform:
x86
Windows XP
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rbillings, Assigned: erik)

Details

(Keywords: wsec-xss)

uTest user was able to get xss to execute using the topic field on a new article. I was unable to repro using WinXP and either IE or FF, but this is serious enough to warrant even more exploration. 1) /kb/new 2) enter ""><script>alert("Hacked");</script>" in the topic field 3) submit article for review [with other req'd fields]> enter reason> submit expected: article created actual: uTest got it to execute, I was unable to repro
Severity: normal → critical
Priority: -- → P2
Group: websites-security
Assignee: nobody → erik
Aha, the trick is that the tested submitted an invalid tag (which means they weren't a privileged user, as you and I are). Notice the error message 'Select a valid choice.">'. We need to escape the error message better or something.
Same thing happens if you edit the HTML and put in a XSS-ish value for any other ChoiceField.
(In reply to comment #2) > Same thing happens if you edit the HTML and put in a XSS-ish value for any > other ChoiceField. If you have to edit the HTML it's not a vulnerability.
Of course not. Just making the point that the escaping is globally wrong. Fixed it in errorlist.html.
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.