660053 - (CVE-2011-2976) [SECURITY] If a BUGLIST cookie is compromised, it can be used to XSS show_bug.cgi and inject HTML into <head>

Status: VERIFIED FIXED

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[Max Kanat-Alexander]

Bugzilla 3.4.11 and below are affected by an XSS that is only possible if the user's BUGLIST cookie is somehow compromised. The bug_list.first and bug_list.last variables in the bug/navigate.html.tmpl template are not properly escaped when displayed.

As far as we know, it is not possible to compromise the BUGLIST cookie in Bugzilla, and as such we are not treating this as a high-priority security issue, but still something that we should fix for the 3.4 branch in case administrators have customized their installation in such a way that BUGLIST could have been compromised, or there are other programs on the user's system that could somehow have compromised the cookie.

Comment 1

[Max Kanat-Alexander]

Attachment: v1

Simple untested patch for the issue. (It does pass 008filter.t.)

Comment 2

[Frédéric Buclin]

For the record, 3.6 and newer are not affected as bug 509108 added filters.

Comment 3

[Frédéric Buclin]

Comment on attachment 535428 [details] [diff] [review]
v1

You also have to fix global/site-navigation.html.tmpl.

Comment 4

[Max Kanat-Alexander]

Attachment: v2

Thanks, fixed in this patch.

Comment 5

[Frédéric Buclin]

Comment on attachment 535431 [details] [diff] [review]
v2

r=LpSolit

Comment 6

[Michael Coates [:mcoates] (acct no longer active)]

(In reply to comment #0)
> As far as we know, it is not possible to compromise the BUGLIST cookie in
> Bugzilla, and as such we are not treating this as a high-priority security
> issue, but still something that we should fix for the 3.4 branch in case
> administrators have customized their installation in such a way that BUGLIST
> could have been compromised, or there are other programs on the user's
> system that could somehow have compromised the cookie.

Unfortunately this is not true. One of the peculiarities with cookie handling in all browsers is that anyone can set a cookie for any user on any site provided they are able to intercept some traffic from the victim to any other HTTP site.

I wrote a post and diagram on this issue which further describes the issue:
http://michael-coates.blogspot.com/2010/01/cookie-forcing-trust-your-cookies-no.html

The only solution to this issue is to enable HSTS. HSTS will prevent the victim's browser from being forced by the MITM to issue a HTTP request to the site in question.

Comment 7

[Max Kanat-Alexander]

> anyone can set a cookie for any user on any
> site provided they are able to intercept some traffic from the victim to any
> other HTTP site.

  But being able to set cookies is a significantly worse vulnerability than this, no? That is, if you can MITM somebody, you've already entirely encompassed this vulnerability and then some.

Comment 8

[Michael Coates [:mcoates] (acct no longer active)]

(In reply to comment #7)
> > anyone can set a cookie for any user on any
> > site provided they are able to intercept some traffic from the victim to any
> > other HTTP site.
> 
>   But being able to set cookies is a significantly worse vulnerability than
> this, no? That is, if you can MITM somebody, you've already entirely
> encompassed this vulnerability and then some.

So the difference here is that the attacker is not actually MITM the SSL connection, that connection is totally valid and untouched. Instead the attacker MITMs  other HTTP request made by the victim to different sites (e.g. maybe they are also browsing google or there browsing is sending requests for HTTP updates of some sort). 

That's what makes this issue so frustrating, the attacker can intercept and modify a HTTP request by the victim to foo.com and use this to ultimately cause a new cookie to be set for the user's interaction with the bugzilla site.

Comment 9

[Max Kanat-Alexander]

(In reply to comment #8)
> That's what makes this issue so frustrating, the attacker can intercept and
> modify a HTTP request by the victim to foo.com and use this to ultimately
> cause a new cookie to be set for the user's interaction with the bugzilla
> site.

  Yes, but what could you do with an XSS that you couldn't already completely do with that MITM? If you can MITM somebody you own them, period, unless there's SSL, right?

Comment 10

[Frédéric Buclin]

Let's mark it as a blocker to keep it in our radar for the next security releases.

Comment 12

[Daniel Veditz [:dveditz]]

Use CVE-2011-2976 for this bug

Comment 13

[Frédéric Buclin]

2.16rc1 is the first version affected by this problem, see bug 110012.

Comment 14

[Frédéric Buclin]

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified template/en/default/filterexceptions.pl
modified template/en/default/bug/navigate.html.tmpl
modified template/en/default/global/site-navigation.html.tmpl
Committed revision 6805.

Comment 15

[Max Kanat-Alexander]

Security advisory sent, unlocking this bug.