Last Comment Bug 628034 - (CVE-2011-0048) [SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs
(CVE-2011-0048)
: [SECURITY] For not-logged-in users, the URL field doesn't safeguard against j...
Status: VERIFIED FIXED
[infrasec:input][ws:moderate][blocker...
:
Product: Bugzilla
Classification: Server Software
Component: User Interface (show other bugs)
: 3.6.3
: All All
: -- normal (vote)
: Bugzilla 3.2
Assigned To: Frédéric Buclin
: default-qa
Mentors:
javascript:alert(document.cookie)
Depends on: CVE-2010-4567
Blocks: 835424 620540
  Show dependency treegraph
 
Reported: 2011-01-22 11:34 PST by mike
Modified: 2013-01-28 10:07 PST (History)
6 users (show)
LpSolit: blocking4.0+
LpSolit: blocking3.6.4+
LpSolit: blocking3.4.10+
LpSolit: blocking3.2.10+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (870 bytes, patch)
2011-01-22 13:57 PST, Reed Loden [:reed] (use needinfo?)
no flags Details | Diff | Splinter Review

Description mike 2011-01-22 11:34:34 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: 

The javascript URI type can be used to execute javascript in a <a> tag.  Click on the supplied url above. 

Reproducible: Always
Comment 1 mike 2011-01-22 11:36:07 PST
Firefox handles the javascript: uri type a bit differently than Chrome/Safari/IE which do not show a warning.
Comment 2 Frédéric Buclin 2011-01-22 11:40:39 PST
This is intentional, see bug 454134.
Comment 3 mike 2011-01-22 11:47:18 PST
Wow intentional XSS, I actually haven't heard that one before.
Comment 4 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-01-22 11:52:15 PST
Actually, it's broken.  But only in Safari/Chrome/IE like he says.  If you're in Firefox you get an alert box warning you that it could be malicious and click OK to execute anyway or Cancel.  I don't get the alert box in Safari, it just does it.
Comment 5 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-01-22 11:57:53 PST
The alert box in question is generated like this:

        <a href="javascript:alert(document.cookie)" target="_blank"
           title="javascript:alert(document.cookie)"
             onclick="return confirm(
                 'This is a &quot;data&quot; or &quot;javascript&quot; URL,'
                 + ' which can possibly be harmful. The full URL is:\n\n'
                 + 'javascript:alert(document.cookie)\n\nContinue?')">javascript:alert(document.cookie)</a>

Apparently something is causing the other browsers to ignore the onclick?
Comment 6 mike 2011-01-22 11:58:14 PST
So then your saying this is a vulnerability for the majority of people online. (FF has 43.5% market share) You know this fix is just one liner,  just look for a url that starts with "javascript".
Comment 7 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-01-22 11:59:41 PST
The alert box in question is generated like this:

        <a href="javascript:alert(document.cookie)" target="_blank"
           title="javascript:alert(document.cookie)"
             onclick="return confirm(
                 'This is a &quot;data&quot; or &quot;javascript&quot; URL,'
                 + ' which can possibly be harmful. The full URL is:\n\n'
                 + 'javascript:alert(document.cookie)\n\nContinue?')">javascript:alert(document.cookie)</a>

Apparently something is causing the other browsers to ignore the onclick?
Comment 8 mike 2011-01-22 12:00:43 PST
@Dave Miller that is a really strange way of trying to address this problem.
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-01-22 12:00:53 PST
Oops, it's worse than that.  It's not what browser you're using, it's whether you're logged in or not.  The not-logged-in version of the page doesn't have the onclick code.  Yikes.
Comment 10 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-01-22 12:02:12 PST
(In reply to comment #8)
> @Dave Miller that is a really strange way of trying to address this problem.

Yes, it is, and Bugzilla upstream doesn't allow those to be clicked at all.  But because this site is used to track bugs in Firefox and Firefox has to be able to properly deal with those types of URLs, the developers need to be able to override it and use them anyway.  The best compromise was to put up a warning (it's a local customization on this site).
Comment 11 mike 2011-01-22 12:05:01 PST
@Dave Miller Interesting, I can see that.   Nice catch on the  not-logged-in condition.
Comment 12 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-01-22 12:06:50 PST
And this is why our customization didn't catch it.  Upstream doesn't either.  This is an upstream bug after all.

https://landfill.bugzilla.org/bugzilla-3.6-branch/show_bug.cgi?id=10211

Make sure you're not logged in on landfill when you view the above link.
Comment 13 Reed Loden [:reed] (use needinfo?) 2011-01-22 13:29:27 PST
Bug 619588 already modifies this code, so we'll need to patch on top of that.
Comment 14 Reed Loden [:reed] (use needinfo?) 2011-01-22 13:57:41 PST
Created attachment 506145 [details] [diff] [review]
patch - v1

I think this should work. Going to test it now.
Comment 15 Reed Loden [:reed] (use needinfo?) 2011-01-22 14:12:36 PST
(In reply to comment #14)
> I think this should work. Going to test it now.

Works fine from my testing. Ready for review.
Comment 16 Frédéric Buclin 2011-01-22 15:44:24 PST
(In reply to comment #13)
> Bug 619588 already modifies this code, so we'll need to patch on top of that.

It's IMO a dupe of that bug, and patches should be merged together.
Comment 17 Reed Loden [:reed] (use needinfo?) 2011-01-22 15:56:34 PST
(In reply to comment #16)
> (In reply to comment #13)
> > Bug 619588 already modifies this code, so we'll need to patch on top of that.
> 
> It's IMO a dupe of that bug, and patches should be merged together.

They aren't the same issue. Bug 619588 deals with spaces evading the safeguards. This bug deals with the safeguards not being used at all on not-logged-in pages. While they affect the same code area, the issues themselves are very different.
Comment 18 Frédéric Buclin 2011-01-22 18:04:06 PST
Comment on attachment 506145 [details] [diff] [review]
patch - v1

This bug will be fixed by bug 619588.
Comment 19 Max Kanat-Alexander 2011-01-22 23:52:32 PST
An XSS from clicking on an obvious "javascript:" link is not "major". (But is still indeed a bug that we should address.)
Comment 20 mike 2011-01-23 00:57:45 PST
Max Kanat-Alexander:
I know this probably doesn't matter to you but Google paid me $500 for an identical xss vector.
Comment 21 mike 2011-01-23 01:00:58 PST
Frédéric Buclin:
Just out of curiosity do you know how many times one of my Mozilla bug reports has been mapped some crusty old bug id?
Comment 22 Reed Loden [:reed] (use needinfo?) 2011-01-23 01:06:45 PST
(In reply to comment #21)
> Frédéric Buclin:
> Just out of curiosity do you know how many times one of my Mozilla bug reports
> has been mapped some crusty old bug id?

Bug 619588 has nothing to do with this bug. It just happens to be a security issue affecting similar code to this bug, so it was decided to just combine the fix for this issue into that patch.

Note that Max and Frédéric are just Bugzilla developers and have nothing to do with Mozilla's Security Bug Bounty program (Bugzilla is just one project in the larger Mozilla community). If you have specific questions about the bounty program (such as what you asked in comment #21), please e-mail security@mozilla.org.
Comment 23 Reed Loden [:reed] (use needinfo?) 2011-01-23 01:07:54 PST
dveditz, need a CVE for this one.
Comment 24 mike 2011-01-23 01:12:15 PST
Reed Loden:
Thanks for setting me straight.  I didn't realize your bug system worked that way.  A CVE with my name on it would be awesome: Michael Brooks (Sitewatch)

Frédéric Buclin:
I'm sorry I misunderstood the system.  I realize now that you are just doing your job.
Comment 26 Reed Loden [:reed] (use needinfo?) 2011-01-23 01:31:47 PST
(In reply to comment #24)
> Thanks for setting me straight.  I didn't realize your bug system worked that
> way.

Unlike Google, we give you a direct line to the developers fixing the issue, so you can interact and see current progress. As such, the bugs you file are the same ones the app developers are using to fix the issue, so not all discussions might directly relate to you specifically. If you ever have a question about this process or a concern about anything you're not sure about, feel free to shoot it to security@mozilla.org, and we will do our best to answer you. :)

> A CVE with my name on it would be awesome: Michael Brooks (Sitewatch)

CVEs don't include names (just problem descriptions), but the security advisory to be released that contains this issue will include your name in the credits.
Comment 27 Daniel Veditz [:dveditz] 2011-01-24 10:06:18 PST
Call this CVE-2011-0048
Comment 28 Frédéric Buclin 2011-01-24 10:43:13 PST
Bug 619588 committed on all branches 3.2 and higher.
Comment 29 Frédéric Buclin 2011-01-24 17:20:04 PST
Security advisory sent. Removing the security flag.
Comment 30 David Chan [:dchan] 2011-07-06 10:53:02 PDT
VERIFIED that unsafe dialog appears for a user that isn't logged in
Comment 31 David Chan [:dchan] 2011-07-06 10:54:54 PDT
(In reply to comment #30)
> VERIFIED that unsafe dialog appears for a user that isn't logged in

err, the URI isn't linked for not-logged-in users, which fixes the problem.

Note You need to log in before you can comment on or make changes to this bug.