Closed
Bug 722161
Opened 12 years ago
Closed 12 years ago
Clickjacking is possible in "View All" with HTML attachments
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.0
People
(Reporter: netfuzzerr, Assigned: LpSolit)
Details
(Whiteboard: [infrasec:bestpractice][ws:low])
Attachments
(1 file, 2 obsolete files)
2.20 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1017.2 Safari/535.19 Steps to reproduce: Hello, Reproduce: 1. Go to https://bugzilla.mozilla.org/show_bug.cgi?ctype=xml&id=684819&id=717586&id=717952&id=717997&id=720173&id=721155&id=722098&id=706271&id=705861&id=718203&id=718319&excludefield=attachmentdata 2. See some bug reports in XML. that can be used to make user copy the content and paste in a field of text, controled by attacker(using clickjacking in obsoletes files viewer). Cheers, Mario.
Assignee | ||
Comment 1•12 years ago
|
||
I don't understand what you mean. You mean that a user may intentionally copy confidential data into a text field? How is that a security issue?
Reporter | ||
Comment 2•12 years ago
|
||
Clickjacking + External sites can get bug reports of users.
Reporter | ||
Comment 3•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Attachment #592503 -
Attachment mime type: text/plain → text/html
Reporter | ||
Comment 4•12 years ago
|
||
Attachment #592503 -
Attachment is obsolete: true
Reporter | ||
Updated•12 years ago
|
Attachment #592505 -
Attachment is obsolete: true
Attachment #592505 -
Attachment mime type: text/plain → text/html
Reporter | ||
Comment 5•12 years ago
|
||
Reproduce: 1. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. 2. Paste the code in text box. 3. Click in "Go!". 4. See the alert. Clicjacking + the CSRF could become more easy the informations leak. Note: This Clickjacking is like the recent patch bug 716283.
Summary: CSRF in bug searcher could allow informations leak. → Clickjacking in obsolete attachments view + CSRF vulnerability in bugs reports in XML, could allow informations leak.
Reporter | ||
Comment 6•12 years ago
|
||
only fixing the comment 1, for use the full exploi, you need create a file fullexploit.xml withe the content of the attachment "FULL Exploit", and upload the file to Mozilla developer Network, and click in attachment.
Reporter | ||
Comment 7•12 years ago
|
||
Please and sorry, for last comment. This referer to anouther bug.
Assignee | ||
Comment 8•12 years ago
|
||
Sorry, but this is not a valid issue. First of all, HTML pages are no longer rendered in the Details page, see bug 716283. Secondly, Bugzilla uses the "X-FRAME-OPTIONS: SAMEORIGIN" HTTP header to not be used in iframes from external websites. So your PoC doesn't work, as you can check yourself.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 9•12 years ago
|
||
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF
Reporter | ||
Comment 10•12 years ago
|
||
No you did not understand. Go to https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall. Like in bug 716283 is possible do phising attacks in obsolete file viewer. Using also a CSRF in show_bug.cgi?ctype=xml&id=somebugid(I think is good have a security token). Attack can convence a victim to visit the https://bugzilla.mozilla.org/show_bug.cgi?id=722161 and drag(if using firefox) or paste the code of iframe in text box.
Comment 11•12 years ago
|
||
CSRF from directly viewing show_bug.cgi with ctype=xml? I'm not sure you can actually have a valid CSRF token there, as what would be the referrer in this case? show_bug.cgi normally? That won't work for a variety of reasons, one of which includes the number of automated scripts that just look directly at the XML output. How would you recommend this problem be fixed?
Comment 12•12 years ago
|
||
oh, I wonder if we moved https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to the attachment base, whether that would fix this or not...
Reporter | ||
Comment 13•12 years ago
|
||
The patch can be the same for bug 716283.
Comment 14•12 years ago
|
||
Oh, I see what you mean. Sounds good.
Assignee: general → attach-and-request
Status: RESOLVED → REOPENED
Component: Bugzilla-General → Attachments & Requests
Ever confirmed: true
Flags: blocking4.2?
Flags: blocking4.0.5?
Resolution: INVALID → ---
Whiteboard: [infrasec:bestpractice][ws:low]
Target Milestone: --- → Bugzilla 4.0
Assignee | ||
Comment 15•12 years ago
|
||
Ah, now I understand better what you mean. Updating the bug summary accordingly. (In reply to Reed Loden [:reed] (very busy) from comment #12) > oh, I wonder if we moved > https://bugzilla.mozilla.org/attachment.cgi?bugid=722161&action=viewall to > the attachment base, whether that would fix this or not... The problem would be that your credentials wouldn't be available there, and I don't want to make the code even more complex to handle this situation. Better is to display the source code of HTML attachments, for consistency with the "Details" page, and to avoid unexpected interactions between HTML attachments.
Status: REOPENED → NEW
Flags: blocking4.2?
Flags: blocking4.2+
Flags: blocking4.0.5?
Flags: blocking4.0.5+
Summary: Clickjacking in obsolete attachments view + CSRF vulnerability in bugs reports in XML, could allow informations leak. → Clickjacking is possible in "View All" with HTML attachments
Assignee | ||
Comment 16•12 years ago
|
||
Same fix as for the Details page.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #594536 -
Flags: review?(dkl)
Comment 17•12 years ago
|
||
Comment on attachment 594536 [details] [diff] [review] patch, v1 Review of attachment 594536 [details] [diff] [review]: ----------------------------------------------------------------- Looks good and works as expected. r=dkl
Attachment #594536 -
Flags: review?(dkl) → review+
Assignee | ||
Updated•12 years ago
|
Flags: approval4.2+
Flags: approval4.0+
Flags: approval+
Assignee | ||
Comment 18•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified skins/standard/attachment.css modified template/en/default/attachment/show-multiple.html.tmpl Committed revision 8105. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified skins/standard/attachment.css modified template/en/default/attachment/show-multiple.html.tmpl Committed revision 8024. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified skins/standard/attachment.css modified template/en/default/attachment/show-multiple.html.tmpl Committed revision 7691.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Comment 19•12 years ago
|
||
Comment on attachment 592503 [details] PoC ><body style='background-color:black;color:red;text-align:center;'> ><h1>Captcha Check Page.</h1> ><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea> ><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
Comment 20•12 years ago
|
||
Comment on attachment 592503 [details] PoC ><body style='background-color:black;color:red;text-align:center;'> ><h1>Captcha Check Page.</h1> ><center><iframe src="http://www.oi.com.br" height="50%" width="50%" frameborder="0"></iframe><div align="center"><h3>Paste this code here.</h3><br><textarea id="xml" style='height:400px;width:700px;'></textarea> ><br><input type="button" style='font-size:25px;' value="Go" onclick="e=document.getElementById('xml'); alert('Thanks! Your bugs reporters are save in my database!');" />
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•