Closed Bug 628034 (CVE-2011-0048) Opened 13 years ago Closed 13 years ago

[SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs

Categories

(Bugzilla :: User Interface, defect)

3.6.3
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Bugzilla 3.2

People

(Reporter: firealwaysworks, Assigned: LpSolit)

References

()

Details

(Whiteboard: [infrasec:input][ws:moderate][blocker will fix])

Attachments

(1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: 

The javascript URI type can be used to execute javascript in a <a> tag.  Click on the supplied url above. 

Reproducible: Always
Firefox handles the javascript: uri type a bit differently than Chrome/Safari/IE which do not show a warning.
This is intentional, see bug 454134.
Assignee: general → nobody
Group: bugzilla-security
Severity: major → normal
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Component: Bugzilla-General → Bugzilla: Other b.m.o Issues
Product: Bugzilla → mozilla.org
QA Contact: default-qa → other-bmo-issues
Resolution: --- → WORKSFORME
Version: unspecified → other
Wow intentional XSS, I actually haven't heard that one before.
Actually, it's broken.  But only in Safari/Chrome/IE like he says.  If you're in Firefox you get an alert box warning you that it could be malicious and click OK to execute anyway or Cancel.  I don't get the alert box in Safari, it just does it.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
Severity: normal → critical
Hardware: x86 → All
Group: webtools-security
Summary: XSS in Bugzilla → non-Gecko browsers only - XSS in Bugzilla's URL field
The alert box in question is generated like this:

        <a href="javascript:alert(document.cookie)" target="_blank"
           title="javascript:alert(document.cookie)"
             onclick="return confirm(
                 'This is a &quot;data&quot; or &quot;javascript&quot; URL,'
                 + ' which can possibly be harmful. The full URL is:\n\n'
                 + 'javascript:alert(document.cookie)\n\nContinue?')">javascript:alert(document.cookie)</a>

Apparently something is causing the other browsers to ignore the onclick?
So then your saying this is a vulnerability for the majority of people online. (FF has 43.5% market share) You know this fix is just one liner,  just look for a url that starts with "javascript".
The alert box in question is generated like this:

        <a href="javascript:alert(document.cookie)" target="_blank"
           title="javascript:alert(document.cookie)"
             onclick="return confirm(
                 'This is a &quot;data&quot; or &quot;javascript&quot; URL,'
                 + ' which can possibly be harmful. The full URL is:\n\n'
                 + 'javascript:alert(document.cookie)\n\nContinue?')">javascript:alert(document.cookie)</a>

Apparently something is causing the other browsers to ignore the onclick?
@Dave Miller that is a really strange way of trying to address this problem.
Oops, it's worse than that.  It's not what browser you're using, it's whether you're logged in or not.  The not-logged-in version of the page doesn't have the onclick code.  Yikes.
Summary: non-Gecko browsers only - XSS in Bugzilla's URL field → XSS in Bugzilla's URL field for not-logged-in users
(In reply to comment #8)
> @Dave Miller that is a really strange way of trying to address this problem.

Yes, it is, and Bugzilla upstream doesn't allow those to be clicked at all.  But because this site is used to track bugs in Firefox and Firefox has to be able to properly deal with those types of URLs, the developers need to be able to override it and use them anyway.  The best compromise was to put up a warning (it's a local customization on this site).
@Dave Miller Interesting, I can see that.   Nice catch on the  not-logged-in condition.
And this is why our customization didn't catch it.  Upstream doesn't either.  This is an upstream bug after all.

https://landfill.bugzilla.org/bugzilla-3.6-branch/show_bug.cgi?id=10211

Make sure you're not logged in on landfill when you view the above link.
Assignee: nobody → ui
Group: webtools-security → bugzilla-security
Component: Bugzilla: Other b.m.o Issues → User Interface
Product: mozilla.org → Bugzilla
QA Contact: other-bmo-issues → default-qa
Target Milestone: --- → Bugzilla 3.6
Version: other → 3.6.3
Bug 619588 already modifies this code, so we'll need to patch on top of that.
Blocks: 620540
Severity: critical → major
Status: REOPENED → NEW
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Whiteboard: [infrasec:xss][ws:moderate]
Target Milestone: Bugzilla 3.6 → Bugzilla 3.2
Depends on: CVE-2010-4567
Attached patch patch - v1 (obsolete) — Splinter Review
I think this should work. Going to test it now.
Assignee: ui → reed
Status: NEW → ASSIGNED
Attachment #506145 - Flags: review?(LpSolit)
Summary: XSS in Bugzilla's URL field for not-logged-in users → [SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs
Whiteboard: [infrasec:xss][ws:moderate] → [infrasec:input][ws:moderate]
(In reply to comment #14)
> I think this should work. Going to test it now.

Works fine from my testing. Ready for review.
(In reply to comment #13)
> Bug 619588 already modifies this code, so we'll need to patch on top of that.

It's IMO a dupe of that bug, and patches should be merged together.
(In reply to comment #16)
> (In reply to comment #13)
> > Bug 619588 already modifies this code, so we'll need to patch on top of that.
> 
> It's IMO a dupe of that bug, and patches should be merged together.

They aren't the same issue. Bug 619588 deals with spaces evading the safeguards. This bug deals with the safeguards not being used at all on not-logged-in pages. While they affect the same code area, the issues themselves are very different.
Comment on attachment 506145 [details] [diff] [review]
patch - v1

This bug will be fixed by bug 619588.
Attachment #506145 - Attachment is obsolete: true
Attachment #506145 - Flags: review?(LpSolit)
Assignee: reed → LpSolit
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
Whiteboard: [infrasec:input][ws:moderate] → [infrasec:input][ws:moderate][blocker will fix]
An XSS from clicking on an obvious "javascript:" link is not "major". (But is still indeed a bug that we should address.)
Severity: major → normal
Max Kanat-Alexander:
I know this probably doesn't matter to you but Google paid me $500 for an identical xss vector.
Frédéric Buclin:
Just out of curiosity do you know how many times one of my Mozilla bug reports has been mapped some crusty old bug id?
(In reply to comment #21)
> Frédéric Buclin:
> Just out of curiosity do you know how many times one of my Mozilla bug reports
> has been mapped some crusty old bug id?

Bug 619588 has nothing to do with this bug. It just happens to be a security issue affecting similar code to this bug, so it was decided to just combine the fix for this issue into that patch.

Note that Max and Frédéric are just Bugzilla developers and have nothing to do with Mozilla's Security Bug Bounty program (Bugzilla is just one project in the larger Mozilla community). If you have specific questions about the bounty program (such as what you asked in comment #21), please e-mail security@mozilla.org.
dveditz, need a CVE for this one.
Reed Loden:
Thanks for setting me straight.  I didn't realize your bug system worked that way.  A CVE with my name on it would be awesome: Michael Brooks (Sitewatch)

Frédéric Buclin:
I'm sorry I misunderstood the system.  I realize now that you are just doing your job.
(In reply to comment #24)
> Thanks for setting me straight.  I didn't realize your bug system worked that
> way.

Unlike Google, we give you a direct line to the developers fixing the issue, so you can interact and see current progress. As such, the bugs you file are the same ones the app developers are using to fix the issue, so not all discussions might directly relate to you specifically. If you ever have a question about this process or a concern about anything you're not sure about, feel free to shoot it to security@mozilla.org, and we will do our best to answer you. :)

> A CVE with my name on it would be awesome: Michael Brooks (Sitewatch)

CVEs don't include names (just problem descriptions), but the security advisory to be released that contains this issue will include your name in the credits.
Call this CVE-2011-0048
Alias: CVE-2011-0048
Bug 619588 committed on all branches 3.2 and higher.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Security advisory sent. Removing the security flag.
Group: bugzilla-security
VERIFIED that unsafe dialog appears for a user that isn't logged in
Status: RESOLVED → VERIFIED
(In reply to comment #30)
> VERIFIED that unsafe dialog appears for a user that isn't logged in

err, the URI isn't linked for not-logged-in users, which fixes the problem.
You need to log in before you can comment on or make changes to this bug.