Closed Bug 722161 Opened 12 years ago Closed 12 years ago

Clickjacking is possible in "View All" with HTML attachments

Categories

(Bugzilla :: Attachments & Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 4.0

People

(Reporter: netfuzzerr, Assigned: LpSolit)

Details

(Whiteboard: [infrasec:bestpractice][ws:low])

Attachments

(1 file, 2 obsolete files)

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1017.2 Safari/535.19

Steps to reproduce:

Hello,

Reproduce:
1. Go to https://bugzilla.mozilla.org/show_bug.cgi?ctype=xml&id=684819&id=717586&id=717952&id=717997&id=720173&id=721155&id=722098&id=706271&id=705861&id=718203&id=718319&excludefield=attachmentdata
2. See some bug reports in XML.

that can be used to make user copy the content and paste in a field of text, controled by attacker(using clickjacking in obsoletes files viewer).

Cheers,
Mario.
I don't understand what you mean. You mean that a user may intentionally copy confidential data into a text field? How is that a security issue?
Clickjacking + External sites can get bug reports of users.
Attached file PoC (obsolete) —
Attachment #592503 - Attachment mime type: text/plain → text/html
Attached file PoC (obsolete) —
Attachment #592503 - Attachment is obsolete: true
Attachment #592505 - Attachment is obsolete: true
Attachment #592505 - Attachment mime type: text/plain → text/html
Reproduce:
1. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall.
2. Paste the code in text box.
3. Click in "Go!".
4. See the alert.

Clicjacking + the CSRF could become more easy the informations leak.

Note: This Clickjacking is like the recent patch bug 716283.
Summary: CSRF in bug searcher could allow informations leak. → Clickjacking in obsolete attachments view + CSRF vulnerability in bugs reports in XML, could allow informations leak.
only fixing the comment 1, for use the full exploi, you need create a file fullexploit.xml withe the content of the attachment "FULL Exploit", and upload the file to Mozilla developer Network, and click in attachment.
Please and sorry, for last comment. This referer to anouther bug.
Sorry, but this is not a valid issue. First of all, HTML pages are no longer rendered in the Details page, see bug 716283. Secondly, Bugzilla uses the "X-FRAME-OPTIONS: SAMEORIGIN" HTTP header to not be used in iframes from external websites. So your PoC doesn't work, as you can check yourself.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF in show_bug.cgi?ctype=xml&id=somebugid(I think is good have a security token). Attack can convence a victim to visit the https://bugzilla.mozilla.org/show_bug.cgi?id=722161 and drag(if using firefox) or paste the code of iframe in text box.
CSRF from directly viewing show_bug.cgi with ctype=xml? I'm not sure you can actually have a valid CSRF token there, as what would be the referrer in this case? show_bug.cgi normally? That won't work for a variety of reasons, one of which includes the number of automated scripts that just look directly at the XML output.

How would you recommend this problem be fixed?
oh, I wonder if we moved https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to the attachment base, whether that would fix this or not...
The patch can be the same for bug 716283.
Oh, I see what you mean. Sounds good.
Assignee: general → attach-and-request
Status: RESOLVED → REOPENED
Component: Bugzilla-General → Attachments & Requests
Ever confirmed: true
Flags: blocking4.2?
Flags: blocking4.0.5?
Resolution: INVALID → ---
Whiteboard: [infrasec:bestpractice][ws:low]
Target Milestone: --- → Bugzilla 4.0
Ah, now I understand better what you mean. Updating the bug summary accordingly.


(In reply to Reed Loden [:reed] (very busy) from comment #12)
> oh, I wonder if we moved
> https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to
> the attachment base, whether that would fix this or not...

The problem would be that your credentials wouldn't be available there, and I don't want to make the code even more complex to handle this situation. Better is to display the source code of HTML attachments, for consistency with the "Details" page, and to avoid unexpected interactions between HTML attachments.
Status: REOPENED → NEW
Flags: blocking4.2?
Flags: blocking4.2+
Flags: blocking4.0.5?
Flags: blocking4.0.5+
Summary: Clickjacking in obsolete attachments view + CSRF vulnerability in bugs reports in XML, could allow informations leak. → Clickjacking is possible in "View All" with HTML attachments
Attached patch patch, v1Splinter Review
Same fix as for the Details page.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #594536 - Flags: review?(dkl)
Comment on attachment 594536 [details] [diff] [review]
patch, v1

Review of attachment 594536 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good and works as expected. r=dkl
Attachment #594536 - Flags: review?(dkl) → review+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 8105.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 8024.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 7691.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Comment on attachment 592503 [details]
PoC

><body style='background-color:black;color:red;text-align:center;'>
><h1>Captcha Check Page.</h1>
><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea>
><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
Comment on attachment 592503 [details]
PoC

><body style='background-color:black;color:red;text-align:center;'>
><h1>Captcha Check Page.</h1>
><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea>
><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
You need to log in before you can comment on or make changes to this bug.