Clickjacking is possible in "View All" with HTML attachments

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
Attachments & Requests
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: x, Assigned: Frédéric Buclin)

Tracking

Bugzilla 4.0
Bug Flags:
approval +
approval4.2 +
blocking4.2 +
approval4.0 +
blocking4.0.5 +

Details

(Whiteboard: [infrasec:bestpractice][ws:low])

Attachments

(1 attachment, 2 obsolete attachments)

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1017.2 Safari/535.19

Steps to reproduce:

Hello,

Reproduce:
1. Go to https://bugzilla.mozilla.org/show_bug.cgi?ctype=xml&id=684819&id=717586&id=717952&id=717997&id=720173&id=721155&id=722098&id=706271&id=705861&id=718203&id=718319&excludefield=attachmentdata
2. See some bug reports in XML.

that can be used to make user copy the content and paste in a field of text, controled by attacker(using clickjacking in obsoletes files viewer).

Cheers,
Mario.
(Assignee)

Comment 1

6 years ago
I don't understand what you mean. You mean that a user may intentionally copy confidential data into a text field? How is that a security issue?
Clickjacking + External sites can get bug reports of users.
Created attachment 592503 [details]
PoC
Attachment #592503 - Attachment mime type: text/plain → text/html
Created attachment 592505 [details]
PoC
Attachment #592503 - Attachment is obsolete: true
Attachment #592505 - Attachment is obsolete: true
Attachment #592505 - Attachment mime type: text/plain → text/html
Reproduce:
1. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall.
2. Paste the code in text box.
3. Click in "Go!".
4. See the alert.

Clicjacking + the CSRF could become more easy the informations leak.

Note: This Clickjacking is like the recent patch bug 716283.
Summary: CSRF in bug searcher could allow informations leak. → Clickjacking in obsolete attachments view + CSRF vulnerability in bugs reports in XML, could allow informations leak.
only fixing the comment 1, for use the full exploi, you need create a file fullexploit.xml withe the content of the attachment "FULL Exploit", and upload the file to Mozilla developer Network, and click in attachment.
Please and sorry, for last comment. This referer to anouther bug.
(Assignee)

Comment 8

6 years ago
Sorry, but this is not a valid issue. First of all, HTML pages are no longer rendered in the Details page, see bug 716283. Secondly, Bugzilla uses the "X-FRAME-OPTIONS: SAMEORIGIN" HTTP header to not be used in iframes from external websites. So your PoC doesn't work, as you can check yourself.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF in show_bug.cgi?ctype=xml&id=somebugid(I think is good have a security token). Attack can convence a victim to visit the https://bugzilla.mozilla.org/show_bug.cgi?id=722161 and drag(if using firefox) or paste the code of iframe in text box.
CSRF from directly viewing show_bug.cgi with ctype=xml? I'm not sure you can actually have a valid CSRF token there, as what would be the referrer in this case? show_bug.cgi normally? That won't work for a variety of reasons, one of which includes the number of automated scripts that just look directly at the XML output.

How would you recommend this problem be fixed?
oh, I wonder if we moved https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to the attachment base, whether that would fix this or not...
The patch can be the same for bug 716283.
Oh, I see what you mean. Sounds good.
Assignee: general → attach-and-request
Status: RESOLVED → REOPENED
Component: Bugzilla-General → Attachments & Requests
Ever confirmed: true
Flags: blocking4.2?
Flags: blocking4.0.5?
Resolution: INVALID → ---
Whiteboard: [infrasec:bestpractice][ws:low]
Target Milestone: --- → Bugzilla 4.0
(Assignee)

Comment 15

6 years ago
Ah, now I understand better what you mean. Updating the bug summary accordingly.


(In reply to Reed Loden [:reed] (very busy) from comment #12)
> oh, I wonder if we moved
> https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to
> the attachment base, whether that would fix this or not...

The problem would be that your credentials wouldn't be available there, and I don't want to make the code even more complex to handle this situation. Better is to display the source code of HTML attachments, for consistency with the "Details" page, and to avoid unexpected interactions between HTML attachments.
Status: REOPENED → NEW
Flags: blocking4.2?
Flags: blocking4.2+
Flags: blocking4.0.5?
Flags: blocking4.0.5+
Summary: Clickjacking in obsolete attachments view + CSRF vulnerability in bugs reports in XML, could allow informations leak. → Clickjacking is possible in "View All" with HTML attachments
(Assignee)

Comment 16

6 years ago
Created attachment 594536 [details] [diff] [review]
patch, v1

Same fix as for the Details page.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #594536 - Flags: review?(dkl)
Comment on attachment 594536 [details] [diff] [review]
patch, v1

Review of attachment 594536 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good and works as expected. r=dkl
Attachment #594536 - Flags: review?(dkl) → review+
(Assignee)

Updated

6 years ago
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
(Assignee)

Comment 18

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 8105.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 8024.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 7691.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED

Comment 19

5 years ago
Comment on attachment 592503 [details]
PoC

><body style='background-color:black;color:red;text-align:center;'>
><h1>Captcha Check Page.</h1>
><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea>
><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
Comment on attachment 592503 [details]
PoC

><body style='background-color:black;color:red;text-align:center;'>
><h1>Captcha Check Page.</h1>
><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea>
><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
You need to log in before you can comment on or make changes to this bug.