As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 619637 - (CVE-2010-4569) [SECURITY] XSS in user autocomplete due to lack of encoding by YUI
(CVE-2010-4569)
: [SECURITY] XSS in user autocomplete due to lack of encoding by YUI
Status: RESOLVED FIXED
[infrasec:xss][ws:critical]
:
Product: Bugzilla
Classification: Server Software
Component: User Interface (show other bugs)
: 3.7.1
: All All
: -- major (vote)
: Bugzilla 4.0
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
:
Mentors:
Depends on:
Blocks: 835424 620540
  Show dependency treegraph
 
Reported: 2010-12-16 00:29 PST by Reed Loden [:reed] (use needinfo?)
Modified: 2013-01-28 10:06 PST (History)
7 users (show)
LpSolit: approval+
LpSolit: approval4.0+
mkanat: blocking4.0+
mkanat: blocking3.6.4-
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (855 bytes, patch)
2010-12-16 01:42 PST, Reed Loden [:reed] (use needinfo?)
mkanat: review+
dkl: review+
Details | Diff | Splinter Review

Description User image Reed Loden [:reed] (use needinfo?) 2010-12-16 00:29:08 PST
If a user's real name field happens to contain XSS, the user autocomplete UI will happily execute it, as it does no escaping of any potential valid HTML.

http://yuilibrary.com/forum/viewtopic.php?p=12923 talks about the problem somewhat.
Comment 1 User image Max Kanat-Alexander 2010-12-16 00:31:57 PST
WTF YUI! Man.

Autocomplete doesn't exist in 3.6.x, so it's not affected. But this should block 4.0 if you can get a patch to me ASAP.
Comment 2 User image Reed Loden [:reed] (use needinfo?) 2010-12-16 00:38:44 PST
Note that bmo is affected by this, even though it's running 3.6.x. I backported the user autocomplete stuff.
Comment 3 User image Reed Loden [:reed] (use needinfo?) 2010-12-16 01:41:33 PST
I filed http://yuilibrary.com/projects/yui2/ticket/2529228 upstream about this.
Comment 4 User image Reed Loden [:reed] (use needinfo?) 2010-12-16 01:42:06 PST
Created attachment 498073 [details] [diff] [review]
patch - v1
Comment 5 User image Max Kanat-Alexander 2010-12-16 11:32:40 PST
Isn't there some built-in HTML escaper in YUI?

What happens when YUI fixes this bug upstream, as they appear to intend to do?
Comment 6 User image Reed Loden [:reed] (use needinfo?) 2010-12-16 11:37:54 PST
(In reply to comment #5)
> Isn't there some built-in HTML escaper in YUI?

Not that I can see from poking around.

> What happens when YUI fixes this bug upstream, as they appear to intend to do?

We override the formatter anyway, so we'd still be vulnerable. I'll just modify our code to use their util function or whatever they offer.
Comment 7 User image Frédéric Buclin 2010-12-18 06:48:40 PST
CC'ing pyrzak as he knows YUI pretty well.
Comment 8 User image Daniel Veditz [:dveditz] 2010-12-21 15:31:51 PST
CVE-2010-4569
Comment 9 User image David Lawrence [:dkl] 2011-01-04 11:36:55 PST
Comment on attachment 498073 [details] [diff] [review]
patch - v1

This looks good and works for me until the proper upstream fix is implemented. r=dkl
Comment 10 User image Max Kanat-Alexander 2011-01-04 14:40:21 PST
Does /regex/g work in IE?
Comment 11 User image Frédéric Buclin 2011-01-04 14:43:54 PST
(In reply to comment #10)
> Does /regex/g work in IE?

code-error.html.tmpl uses it, so I guess so, yes.
Comment 12 User image Reed Loden [:reed] (use needinfo?) 2011-01-04 14:46:18 PST
(In reply to comment #10)
> Does /regex/g work in IE?

Yes, since IE 4, I believe.
Comment 13 User image Guy Pyrzak 2011-01-12 15:07:15 PST
This patch does what reed wants it to do, which is escape incoming HTML, however, i'm not an XXS attack expert and I feel uncomfortable saying that this solution will stop all possible XXS attacks. But the attached patch (patch - v1), does escape incoming text that he lists in his code. Not sure if this is helpful or not. 

Basically the code looks good, my knowledge of the numerous ways to do a XXS attack are to limited to know if this patch is enough to stop the behavior in question.
Comment 14 User image Max Kanat-Alexander 2011-01-20 17:03:53 PST
Comment on attachment 498073 [details] [diff] [review]
patch - v1

This does look correct and it's the same as what YUI does, so at the least we will be just as secure as the DataTable text formatter.
Comment 16 User image Reed Loden [:reed] (use needinfo?) 2011-01-24 10:07:05 PST
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified js/field.js
Committed revision 7671.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified js/field.js
Committed revision 7528.
Comment 17 User image Frédéric Buclin 2011-01-24 17:20:02 PST
Security advisory sent. Removing the security flag.

Note You need to log in before you can comment on or make changes to this bug.