Last Comment Bug 722161 - Clickjacking is possible in "View All" with HTML attachments
: Clickjacking is possible in "View All" with HTML attachments
Status: RESOLVED FIXED
[infrasec:bestpractice][ws:low]
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 4.3
: All All
: -- normal (vote)
: Bugzilla 4.0
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-29 07:15 PST by Mario Gomes
Modified: 2012-09-10 09:23 PDT (History)
6 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: blocking4.2+
LpSolit: approval4.0+
LpSolit: blocking4.0.5+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
PoC (482 bytes, text/html)
2012-01-29 07:27 PST, Mario Gomes
no flags Details
PoC (651 bytes, text/html)
2012-01-29 07:29 PST, Mario Gomes
no flags Details
patch, v1 (2.20 KB, patch)
2012-02-05 05:20 PST, Frédéric Buclin
dkl: review+
Details | Diff | Review

Description Mario Gomes 2012-01-29 07:15:22 PST
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1017.2 Safari/535.19

Steps to reproduce:

Hello,

Reproduce:
1. Go to https://bugzilla.mozilla.org/show_bug.cgi?ctype=xml&id=684819&id=717586&id=717952&id=717997&id=720173&id=721155&id=722098&id=706271&id=705861&id=718203&id=718319&excludefield=attachmentdata
2. See some bug reports in XML.

that can be used to make user copy the content and paste in a field of text, controled by attacker(using clickjacking in obsoletes files viewer).

Cheers,
Mario.
Comment 1 Frédéric Buclin 2012-01-29 07:18:32 PST
I don't understand what you mean. You mean that a user may intentionally copy confidential data into a text field? How is that a security issue?
Comment 2 Mario Gomes 2012-01-29 07:19:31 PST
Clickjacking + External sites can get bug reports of users.
Comment 3 Mario Gomes 2012-01-29 07:27:40 PST
Created attachment 592503 [details]
PoC
Comment 4 Mario Gomes 2012-01-29 07:29:59 PST
Created attachment 592505 [details]
PoC
Comment 5 Mario Gomes 2012-01-29 07:36:48 PST
Reproduce:
1. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall.
2. Paste the code in text box.
3. Click in "Go!".
4. See the alert.

Clicjacking + the CSRF could become more easy the informations leak.

Note: This Clickjacking is like the recent patch bug 716283.
Comment 6 Mario Gomes 2012-01-29 08:14:30 PST
only fixing the comment 1, for use the full exploi, you need create a file fullexploit.xml withe the content of the attachment "FULL Exploit", and upload the file to Mozilla developer Network, and click in attachment.
Comment 7 Mario Gomes 2012-01-29 08:17:14 PST
Please and sorry, for last comment. This referer to anouther bug.
Comment 8 Frédéric Buclin 2012-01-29 08:50:57 PST
Sorry, but this is not a valid issue. First of all, HTML pages are no longer rendered in the Details page, see bug 716283. Secondly, Bugzilla uses the "X-FRAME-OPTIONS: SAMEORIGIN" HTTP header to not be used in iframes from external websites. So your PoC doesn't work, as you can check yourself.
Comment 9 Mario Gomes 2012-02-04 14:02:44 PST
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF
Comment 10 Mario Gomes 2012-02-04 14:07:38 PST
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF in show_bug.cgi?ctype=xml&id=somebugid(I think is good have a security token). Attack can convence a victim to visit the https://bugzilla.mozilla.org/show_bug.cgi?id=722161 and drag(if using firefox) or paste the code of iframe in text box.
Comment 11 Reed Loden [:reed] (use needinfo?) 2012-02-04 17:01:36 PST
CSRF from directly viewing show_bug.cgi with ctype=xml? I'm not sure you can actually have a valid CSRF token there, as what would be the referrer in this case? show_bug.cgi normally? That won't work for a variety of reasons, one of which includes the number of automated scripts that just look directly at the XML output.

How would you recommend this problem be fixed?
Comment 12 Reed Loden [:reed] (use needinfo?) 2012-02-04 17:03:32 PST
oh, I wonder if we moved https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to the attachment base, whether that would fix this or not...
Comment 13 Mario Gomes 2012-02-05 01:12:11 PST
The patch can be the same for bug 716283.
Comment 14 Reed Loden [:reed] (use needinfo?) 2012-02-05 01:34:21 PST
Oh, I see what you mean. Sounds good.
Comment 15 Frédéric Buclin 2012-02-05 04:39:42 PST
Ah, now I understand better what you mean. Updating the bug summary accordingly.


(In reply to Reed Loden [:reed] (very busy) from comment #12)
> oh, I wonder if we moved
> https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to
> the attachment base, whether that would fix this or not...

The problem would be that your credentials wouldn't be available there, and I don't want to make the code even more complex to handle this situation. Better is to display the source code of HTML attachments, for consistency with the "Details" page, and to avoid unexpected interactions between HTML attachments.
Comment 16 Frédéric Buclin 2012-02-05 05:20:23 PST
Created attachment 594536 [details] [diff] [review]
patch, v1

Same fix as for the Details page.
Comment 17 David Lawrence [:dkl] 2012-02-07 13:53:54 PST
Comment on attachment 594536 [details] [diff] [review]
patch, v1

Review of attachment 594536 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good and works as expected. r=dkl
Comment 18 Frédéric Buclin 2012-02-08 07:55:54 PST
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 8105.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 8024.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified skins/standard/attachment.css
modified template/en/default/attachment/show-multiple.html.tmpl
Committed revision 7691.
Comment 19 Jeren 2012-09-07 22:51:10 PDT
Comment on attachment 592503 [details]
PoC

><body style='background-color:black;color:red;text-align:center;'>
><h1>Captcha Check Page.</h1>
><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea>
><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
Comment 20 <img src=x onerror=prompt(1); > 2012-09-10 09:23:59 PDT
Comment on attachment 592503 [details]
PoC

&gt;&lt;body style='background-color:black;color:red;text-align:center;'&gt;
&gt;&lt;h1&gt;Captcha Check Page.&lt;/h1&gt;
&gt;&lt;center&gt;&lt;iframe src=&quot;http://www.oi.com.br&quot; height=&quot;50%&quot; width=&quot;50%&quot; frameborder=&quot;0&quot;&gt;&lt;/iframe&gt;&lt;div align=&quot;center&quot;&gt;&lt;h3&gt;Paste this code here.&lt;/h3&gt;&lt;br&gt;&lt;textarea id=&quot;xml&quot; style='height:400px;width:700px;'&gt;&lt;/textarea&gt;
&gt;&lt;br&gt;&lt;input type=&quot;button&quot; style='font-size:25px;' value=&quot;Go&quot; onclick=&quot;e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');&quot; /&gt;

Note You need to log in before you can comment on or make changes to this bug.