Last Comment Bug 660053 - (CVE-2011-2976) [SECURITY] If a BUGLIST cookie is compromised, it can be used to XSS show_bug.cgi and inject HTML into <head>
(CVE-2011-2976)
: [SECURITY] If a BUGLIST cookie is compromised, it can be used to XSS show_bug...
Status: VERIFIED FIXED
[3.4.x and older only; 3.6 and newer ...
:
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 2.16
: All All
: -- normal (vote)
: Bugzilla 3.4
Assigned To: Max Kanat-Alexander
: default-qa
Mentors:
http://www.cloudscan.me/2011/05/bugzi...
: 667503 (view as bug list)
Depends on:
Blocks: 660528
  Show dependency treegraph
 
Reported: 2011-05-26 12:04 PDT by Max Kanat-Alexander
Modified: 2011-08-24 13:47 PDT (History)
5 users (show)
LpSolit: approval3.4+
LpSolit: blocking3.4.12+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
v1 (1.75 KB, patch)
2011-05-26 12:08 PDT, Max Kanat-Alexander
LpSolit: review-
Details | Diff | Splinter Review
v2 (3.41 KB, patch)
2011-05-26 12:17 PDT, Max Kanat-Alexander
LpSolit: review+
Details | Diff | Splinter Review

Description Max Kanat-Alexander 2011-05-26 12:04:43 PDT
Bugzilla 3.4.11 and below are affected by an XSS that is only possible if the user's BUGLIST cookie is somehow compromised. The bug_list.first and bug_list.last variables in the bug/navigate.html.tmpl template are not properly escaped when displayed.

As far as we know, it is not possible to compromise the BUGLIST cookie in Bugzilla, and as such we are not treating this as a high-priority security issue, but still something that we should fix for the 3.4 branch in case administrators have customized their installation in such a way that BUGLIST could have been compromised, or there are other programs on the user's system that could somehow have compromised the cookie.
Comment 1 Max Kanat-Alexander 2011-05-26 12:08:58 PDT
Created attachment 535428 [details] [diff] [review]
v1

Simple untested patch for the issue. (It does pass 008filter.t.)
Comment 2 Frédéric Buclin 2011-05-26 12:11:24 PDT
For the record, 3.6 and newer are not affected as bug 509108 added filters.
Comment 3 Frédéric Buclin 2011-05-26 12:14:38 PDT
Comment on attachment 535428 [details] [diff] [review]
v1

You also have to fix global/site-navigation.html.tmpl.
Comment 4 Max Kanat-Alexander 2011-05-26 12:17:58 PDT
Created attachment 535431 [details] [diff] [review]
v2

Thanks, fixed in this patch.
Comment 5 Frédéric Buclin 2011-05-26 12:42:29 PDT
Comment on attachment 535431 [details] [diff] [review]
v2

r=LpSolit
Comment 6 Michael Coates [:mcoates] (acct no longer active) 2011-05-26 12:46:55 PDT
(In reply to comment #0)
> As far as we know, it is not possible to compromise the BUGLIST cookie in
> Bugzilla, and as such we are not treating this as a high-priority security
> issue, but still something that we should fix for the 3.4 branch in case
> administrators have customized their installation in such a way that BUGLIST
> could have been compromised, or there are other programs on the user's
> system that could somehow have compromised the cookie.

Unfortunately this is not true. One of the peculiarities with cookie handling in all browsers is that anyone can set a cookie for any user on any site provided they are able to intercept some traffic from the victim to any other HTTP site.

I wrote a post and diagram on this issue which further describes the issue:
http://michael-coates.blogspot.com/2010/01/cookie-forcing-trust-your-cookies-no.html

The only solution to this issue is to enable HSTS. HSTS will prevent the victim's browser from being forced by the MITM to issue a HTTP request to the site in question.
Comment 7 Max Kanat-Alexander 2011-05-26 13:16:23 PDT
> anyone can set a cookie for any user on any
> site provided they are able to intercept some traffic from the victim to any
> other HTTP site.

  But being able to set cookies is a significantly worse vulnerability than this, no? That is, if you can MITM somebody, you've already entirely encompassed this vulnerability and then some.
Comment 8 Michael Coates [:mcoates] (acct no longer active) 2011-05-26 15:12:46 PDT
(In reply to comment #7)
> > anyone can set a cookie for any user on any
> > site provided they are able to intercept some traffic from the victim to any
> > other HTTP site.
> 
>   But being able to set cookies is a significantly worse vulnerability than
> this, no? That is, if you can MITM somebody, you've already entirely
> encompassed this vulnerability and then some.

So the difference here is that the attacker is not actually MITM the SSL connection, that connection is totally valid and untouched. Instead the attacker MITMs  other HTTP request made by the victim to different sites (e.g. maybe they are also browsing google or there browsing is sending requests for HTTP updates of some sort). 

That's what makes this issue so frustrating, the attacker can intercept and modify a HTTP request by the victim to foo.com and use this to ultimately cause a new cookie to be set for the user's interaction with the bugzilla site.
Comment 9 Max Kanat-Alexander 2011-05-26 20:51:02 PDT
(In reply to comment #8)
> That's what makes this issue so frustrating, the attacker can intercept and
> modify a HTTP request by the victim to foo.com and use this to ultimately
> cause a new cookie to be set for the user's interaction with the bugzilla
> site.

  Yes, but what could you do with an XSS that you couldn't already completely do with that MITM? If you can MITM somebody you own them, period, unless there's SSL, right?
Comment 10 Frédéric Buclin 2011-05-29 05:45:44 PDT
Let's mark it as a blocker to keep it in our radar for the next security releases.
Comment 11 Frédéric Buclin 2011-06-27 10:59:25 PDT
*** Bug 667503 has been marked as a duplicate of this bug. ***
Comment 12 Daniel Veditz [:dveditz] 2011-08-01 16:31:49 PDT
Use CVE-2011-2976 for this bug
Comment 13 Frédéric Buclin 2011-08-02 04:24:53 PDT
2.16rc1 is the first version affected by this problem, see bug 110012.
Comment 14 Frédéric Buclin 2011-08-04 13:03:58 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified template/en/default/filterexceptions.pl
modified template/en/default/bug/navigate.html.tmpl
modified template/en/default/global/site-navigation.html.tmpl
Committed revision 6805.
Comment 15 Max Kanat-Alexander 2011-08-05 17:33:28 PDT
Security advisory sent, unlocking this bug.

Note You need to log in before you can comment on or make changes to this bug.