648655 - Mozilla Hacks - Hacks2010 Template XSS Bugs

Status: RESOLVED FIXED

(Developer Engagement :: Mozilla Hacks, task, P1)

Description

[marius]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 ( .NET CLR 3.5.30729; .NET4.0E)
Build Identifier: 

http://hacks.mozilla.org - xss on all parameters/categories where you see "?"

POC: 


http://hacks.mozilla.org/2011/03/?"><marquee><h1>XSS</h1></marquee>--><script>alert('XSS-HACK?')</script>--> 

SEE:  

http://img691.imageshack.us/f/marzt.jpg/

Reproducible: Always

Comment 1

[David Chan [:dchan]]

The issue appears to be in the Hacks2010 template which doesn't properly escape output in tmh_by_as_url . I will look at the rest of the template for other potential issues.

index
http://viewvc.svn.mozilla.org/vc/projects/hacks.mozilla.org/trunk/wp-content/themes/Hacks2010/index.php?revision=58712&view=markup

Template functions
http://viewvc.svn.mozilla.org/vc/projects/hacks.mozilla.org/trunk/wp-content/themes/Hacks2010/functions.php?revision=66342&view=markup

Comment 3

[David Chan [:dchan]]

Other files which use tmh_by_as_url

find . -name "*.php" | xargs fgrep -i "tmh_by_as_url" | cut -d: -f1 | sort | uniq
./archive.php
./category-demo.php
./category-featured-demo.php
./category-featured.php
./category.php
./functions.php
./index.php
./search.php

Comment 4

[Daniel Veditz [:dveditz]]

Do any of the other themes in use on any of our blogs share code with this theme?

Comment 5

[Daniel Veditz [:dveditz]]

blizzard: where did the hacks theme come from? Is there an upstream source we need to inform about the XSS or did we write it ourselves?

Comment 7

[Michael Morgan [:morgamic]]

Craig - can you take a look at this?

Comment 8

[Craig Cook (:craigcook)]

I think it may be as simple as running the tmh_by_as_url request through htmlspecialchars. I've done that in r88625 and it seems to do the trick locally, or at least the URL hack in the original report doesn't work. The extra HTML just gets ignored.

That tmh_by_as_url function is what we use to sort posts by different criteria in different views based on the request URL (e.g. /by/date/ = "sort by date", /as/title/ = "display as title"). It was custom rolled for the Hacks blog and isn't in use anywhere else as far as I know. I don't think it occurred to us to test for passing in an arbitrary query string so this vulnerability went unnoticed. Good catch.

Comment 9

[Yvan Boily [:ygjb][:yvan]]

Has this theme been updated in production?  The site is still vulnerable to the XSS in the original bug report.

Comment 10

[Craig Cook (:craigcook)]

(In reply to comment #9)
> Has this theme been updated in production?  The site is still vulnerable to
> the XSS in the original bug report.

Nope, doesn't look like it was ever pushed to prod. I expect that requires filing a separate bug for server-ops. 

But I also don't know if the code change was reviewed again to make sure the security hole is plugged. I don't think we have any staging environment for hacks to test against, but just a code review may be enough.

Comment 12

[Yvan Boily [:ygjb][:yvan]]

Adding the reporter of a duplicate bug.

Can we get the updates by Craig staged so that we can review this?

Comment 13

[Jason Thomas [:jason]]

Production is currently at r90170 which includes the fix mentioned above. 

[root@mradm02 hacks.mozilla.org-wpcontent]# svn info

Path: .
URL: http://svn.mozilla.org/projects/hacks.mozilla.org/trunk/wp-content
Repository Root: http://svn.mozilla.org
Repository UUID: 4eb1ac78-321c-0410-a911-ec516a8615a5
Revision: 90170
Node Kind: directory
Schedule: normal
Last Changed Author: craigcook@gmail.com
Last Changed Rev: 90088
Last Changed Date: 2011-06-07 14:49:01 -0700 (Tue, 07 Jun 2011)

http://viewvc.svn.mozilla.org/vc/projects/hacks.mozilla.org/trunk/wp-content/?view=log

Comment 14

[Yvan Boily [:ygjb][:yvan]]

Ok thanks, I will review this.

Comment 15

[marius]

I wonder if was fixed the bug...or not yet?

Comment 16

[Matt Fuller :mfuller]

This bug is still listed as new and does not yet appear to have been fixed (or at least pushed to production). Revision 88625 (http://viewvc.svn.mozilla.org/vc/projects/hacks.mozilla.org/trunk/wp-content/?view=log) lists the fix as being applied, but the live site is still vulnerable. :jason, can you take a look at this so that we can fix it and close the bug? Thanks!

Comment 17

[John Karahalis [:openjck]]

The MDN team now owns Hacks development, so we would like to take care of this as soon as possible. Jason, thoughts on comment 16?

Comment 18

[Jason Thomas [:jason]]

CC'ing Jake from Webops

Comment 19

[Jake Maul [:jakem]]

We are *way* beyond the commit in comment 16 now. Can we still confirm this is an issue?

There are no actions for WebOps to take on this at the moment.



[root@genericadm.private.phx1 Hacks2010]# svn info
Path: .
Working Copy Root Path: /data/genericrhel6/src/hacks.mozilla.org/wp-content
URL: http://svn.mozilla.org/projects/hacks.mozilla.org/trunk/wp-content/themes/Hacks2010
Repository Root: http://svn.mozilla.org
Repository UUID: 4eb1ac78-321c-0410-a911-ec516a8615a5
Revision: 115475
Node Kind: directory
Schedule: normal
Last Changed Author: craigcook@gmail.com
Last Changed Rev: 115472
Last Changed Date: 2013-04-26 02:04:48 -0700 (Fri, 26 Apr 2013)

Comment 20

[Jake Maul [:jakem]]

Presuming this is fixed now, since production is well beyond the commit where this was believed to be fixed.

Comment 21

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.

Comment 22

[Will Kahn-Greene [:willkg] ET needinfo? me]

For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.