Last Comment Bug 697699 - (CVE-2011-3657) [SECURITY] XSS when viewing new charts or tabular and graphical reports in debug mode
(CVE-2011-3657)
: [SECURITY] XSS when viewing new charts or tabular and graphical reports in de...
Status: VERIFIED FIXED
[infrasec:xss][ws:high]
:
Product: Bugzilla
Classification: Server Software
Component: Reporting/Charting (show other bugs)
: 2.17.1
: All All
: -- critical (vote)
: Bugzilla 3.4
Assigned To: Byron Jones ‹:glob›
: default-qa
Mentors:
Depends on:
Blocks: 713348
  Show dependency treegraph
 
Reported: 2011-10-27 06:10 PDT by Patrick Hof
Modified: 2012-01-06 06:43 PST (History)
8 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: blocking4.2+
LpSolit: approval4.0+
LpSolit: blocking4.0.3+
LpSolit: approval3.6+
LpSolit: blocking3.6.7+
LpSolit: approval3.4+
LpSolit: blocking3.4.13+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch v1 (351 bytes, patch)
2011-10-27 06:21 PDT, Byron Jones ‹:glob›
gerv: review+
Details | Diff | Review
patch for 4.2 and older, v2 (913 bytes, patch)
2011-10-27 07:22 PDT, Byron Jones ‹:glob›
gerv: review+
Details | Diff | Review
patch v2 (trunk) (877 bytes, patch)
2011-10-30 20:15 PDT, Byron Jones ‹:glob›
gerv: review+
Details | Diff | Review

Description Patrick Hof 2011-10-27 06:10:13 PDT
RedTeam Pentesting discovered a Cross Site-Scripting (XSS) vulnerability
in Bugzilla's chart generator during a penetration test.  If attackers
can persuade users to click on a prepared link or redirected them to
such a link from an attacker-controlled website, they are able to run
arbitrary JavaScript code in the context of the Bugzilla installation's
domain.


Details
=======

Product: Bugzilla
Affected Versions: 3.4.12, 3.6.6, 4.0.2, 4.1.3,
                   possibly all older versions that can generate charts
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.bugzilla.org
Vendor Status: notified
Advisory Status: private


More Details
============

The chart-generating script chart.cgi contains a function plot(), which
creates a new chart:

sub plot {
    validateWidthAndHeight();
    $vars->{'chart'} = new Bugzilla::Chart($cgi);

    my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype')));

    # Debugging PNGs is a pain; we need to be able to see the error messages
    if ($cgi->param('debug')) {
        print $cgi->header();
        $vars->{'chart'}->dump();
    }

    print $cgi->header($format->{'ctype'});
    disable_utf8() if ($format->{'ctype'} =~ /^image\//);

    $template->process($format->{'template'}, $vars)
      || ThrowTemplateError($template->error());
}

The function's code shows that there is a "debug" parameter, that, if
set, will make the function print out the variables (and their contents)
representing the chart for debugging purposes. This includes
user-defined variables sent as parameters, especially "label0". As the
content of this variable is not checked for malicious input, it can be
used to inject arbitrary JavaScript code into the debugging output. In
fact, any variable of the form "labelXXX", where "XXX" is an arbitrary
number, will work.


Proof of Concept
================

The following URL generates a new chart with debugging output enabled,
containing JavaScript code in the "label0" parameter:

http://www.example.org/bugzilla/chart.cgi
  ?category=-All-
  &datefrom=
  &dateto=
  &label0=<script>alert("XSS")</script>
  &line0=1
  &name=1
  &subcategory=-All-
  &ctype=png
  &action=plot
  &width=600
  &height=350
  &debug=1


Security Risk
=============

The risk of this vulnerability is estimated to be high. Being able to
embed arbitrary JavaScript allows attackers to completely manipulate the
website, adding one's own content and tracking user interaction.


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.
Comment 1 Byron Jones ‹:glob› 2011-10-27 06:21:45 PDT
Created attachment 569947 [details] [diff] [review]
patch v1

confirming; fix attached.
Comment 2 Gervase Markham [:gerv] 2011-10-27 06:24:26 PDT
Hey guys,

Thanks for reporting this. I wrote that code, quite some time ago :-| We have various protections in place to detect possible XSS for output coming from templates, but obviously if you just write "print" in a CGI, then... <sigh>

Gerv
Comment 3 Gervase Markham [:gerv] 2011-10-27 06:26:33 PDT
Comment on attachment 569947 [details] [diff] [review]
patch v1

r=gerv.

Gerv
Comment 4 Patrick Hof 2011-10-27 06:49:59 PDT
Sure, glad to help.

Our client also suggested that it'd be great if the hardcoded debugging output (there's more in other places, as I guess you know) could be made optional, as it's normally not needed in a production system and might only lead to problems like this. We didn't find any other problems in the debugging code, but it's always good to reduce your attack surface.
Comment 5 Gervase Markham [:gerv] 2011-10-27 06:50:42 PDT
I just did a quick audit of all calls to "print" and "say" in the current codebase, and I've found one more confirmed instance of this - in report.cgi, lines 288-294. Same type of code, put there for the same reason, by the same person, with the same bug. :-| You can trigger it in that case by updating your Real Name to have a <script> tag in it, making e.g. Assignee Real Name one of the chart parameters, and then putting debug=1 on the end of your chart URL.

Gerv
Comment 6 Gervase Markham [:gerv] 2011-10-27 06:52:10 PDT
By "quick audit", I of course mean "possibly incomplete and should be repeated more thoroughly". I also did a search for other uses of Data::Dumper but couldn't immediately find any vulnerabilities.

Gerv
Comment 7 Byron Jones ‹:glob› 2011-10-27 07:22:44 PDT
Created attachment 569963 [details] [diff] [review]
patch for 4.2 and older, v2

fixes the report.cgi instance.
i was also unable to find any other occurrences that smelt bad.
Comment 8 Gervase Markham [:gerv] 2011-10-28 08:21:45 PDT
Comment on attachment 569963 [details] [diff] [review]
patch for 4.2 and older, v2

r=gerv.

Gerv
Comment 9 Frédéric Buclin 2011-10-28 15:00:58 PDT
I guess this patch applies to all branches?
Comment 10 Byron Jones ‹:glob› 2011-10-30 20:13:08 PDT
(In reply to Frédéric Buclin from comment #9)
> I guess this patch applies to all branches?

yes, except for trunk.
Comment 11 Byron Jones ‹:glob› 2011-10-30 20:15:11 PDT
Created attachment 570593 [details] [diff] [review]
patch v2 (trunk)
Comment 12 Gervase Markham [:gerv] 2011-10-31 06:56:00 PDT
Comment on attachment 570593 [details] [diff] [review]
patch v2 (trunk)

r=gerv.

Gerv
Comment 13 Max Kanat-Alexander 2011-10-31 23:09:40 PDT
Thanks for reporting, fixing, and reviewing this, everybody. I'm a little pressed for time until after Wednesday, but I will start planning to do a sec release for this shortly after that. If anybody else wants to file the relevant release bugs and do the sec adv, it would definitely speed up the process.
Comment 14 Patrick Hof 2011-11-21 00:45:50 PST
Hi,

as the last update is almost a month old: what's your current time schedule for releasing the fix? Any idea when this'll be officially announced?
Comment 15 Frédéric Buclin 2011-11-21 00:52:07 PST
(In reply to Patrick Hof from comment #14)
> what's your current time schedule
> for releasing the fix? Any idea when this'll be officially announced?

We have no hard release date as we are still tracking some other blockers, but this should happen within a few weeks (I would say mid-December at the lastest, without guarantee). The patches in this bug will be committed right before the releases.
Comment 16 Daniel Veditz [:dveditz] 2011-11-21 14:23:07 PST
Assigning CVE-2011-3657 to this issue.
Comment 17 David Lawrence [:dkl] 2011-12-28 14:10:01 PST
3.4:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/3.4
modified report.cgi
modified Bugzilla/Chart.pm
Committed revision 6817. 

3.6:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/3.6
modified report.cgi
modified Bugzilla/Chart.pm
Committed revision 7266.

4.0:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.0
modified report.cgi
modified Bugzilla/Chart.pm
Committed revision 7671.

4.2:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/4.2
modified report.cgi
modified Bugzilla/Chart.pm
Committed revision 7990.

trunk:
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bugzilla/trunk
modified report.cgi
modified Bugzilla/Chart.pm
Committed revision 8053.

dkl
Comment 18 Frédéric Buclin 2011-12-29 09:03:10 PST
Security Advisory sent and is live on bugzilla.org. Removing the security flag.
Comment 19 Mark Goodwin [:mgoodwin] 2012-01-06 06:43:28 PST
Thanks

Note You need to log in before you can comment on or make changes to this bug.