DOM Based Cross Site Scripting on enter_bug.cgi with the Guided Bug Entry format

RESOLVED FIXED

Status

()

RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: netfuzzerr, Assigned: glob)

Tracking

(Blocks: 1 bug, {wsec-xss})

Production
wsec-xss
Bug Flags:
sec-bounty +

Details

(Whiteboard: [infrasec:xss][ws:high], URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1130.1 Safari/536.11

Steps to reproduce:

Hello,

Dom based XSS on bugzilla.mozilla.org can allow attacker to do phising attacks.

PoC: https://bugzilla.mozilla.org/enter_bug.cgi#h=alert('XSS')

Vulnerable code
============
Variable "state" contains value of the url fragment "#h=".
The function call "setStep" which call eval and the "#h=" is executed.
--- guided.js---
  _onStateChange: function(state, noSetHistory) {
    state = state.split("|");
    product.setName(state[1] || '');
    guided.setStep(state[0], noSetHistory);
  },
----------------
Using eval and call function with the name of url fragment.
---guided.js-----
  setStep: function(newStep, noSetHistory) {
    // initialise new step
    eval(newStep + '.onShow()');

    // change visibility of _step div
    if (this._currentStep)
      Dom.addClass(this._currentStep + '_step', 'hidden');
    this._currentStep = newStep;
    Dom.removeClass(this._currentStep + '_step', 'hidden');

    // scroll to top of page to mimic real navigation
    scroll(0,0);

    // update history
    if (History && !noSetHistory) {
      History.navigate('h', newStep + "|" + product.getName());
    }
  },
----------


Cheers,
Mario.
(Assignee)

Updated

7 years ago
Assignee: general → nobody
Component: Bugzilla-General → Extensions: GuidedBugEntry
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa → guided-bug-entry
Version: unspecified → Current
(Assignee)

Comment 1

7 years ago
confirmed.  this is a bmo-specific customisation.
Assignee: nobody → glob
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

7 years ago
Created attachment 622741 [details] [diff] [review]
patch v1

gah, what a stupid mistake :(
Attachment #622741 - Flags: review?(dkl)
Mario: nice work! How did you find it?

We should audit all uses of eval(). But I think this is the only one.

Gerv
(Reporter)

Comment 4

7 years ago
I just open "#h=Firefox" and see the error "ReferenceError: Firefox is not defined" in the javascript debugger. So replace it for "alert(1)" and cames bug.

Yep, DOM is dangerous. I dont know what pages which bugzilla uses DOM. It would be interesting to test on them.

(In reply to Gervase Markham [:gerv] from comment #3)
> Mario: nice work! How did you find it?
> 
> We should audit all uses of eval(). But I think this is the only one.
> 
> Gerv
Whiteboard: [infrasec:xss][ws:high]
Comment on attachment 622741 [details] [diff] [review]
patch v1

Review of attachment 622741 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me and fixes the reported issue. r=dkl
Attachment #622741 - Flags: review?(dkl) → review+
(Assignee)

Comment 6

7 years ago
thanks dkl; i'll commit this just before we do this week's code push.
(Reporter)

Comment 7

7 years ago
Can this bug be elegible for a bounty?
(In reply to Mario Gomes from comment #7)
> Can this bug be elegible for a bounty?

That's up to the folks who administrate the bounty program. You may contact security [@] mozilla.org to discuss that with them.

Either way, thank you for reporting this issue. We definitely appreciate your submission, and we welcome any future reports.
(Reporter)

Comment 9

7 years ago
(In reply to Reed Loden [:reed] (very busy) from comment #8)
> That's up to the folks who administrate the bounty program. You may contact
> security [@] mozilla.org to discuss that with them.

Thanks! I'll do it.

> Either way, thank you for reporting this issue. We definitely appreciate
> your submission, and we welcome any future reports.

Great - Me too! I'm also expecting more flaws to report! :)
(In reply to Reed Loden [:reed] (very busy) from comment #8)
> (In reply to Mario Gomes from comment #7)
> > Can this bug be elegible for a bounty?
> 
> That's up to the folks who administrate the bounty program. You may contact
> security [@] mozilla.org to discuss that with them.

Actually, emailing us is unnecessary since we're just going to come back to the bug here. We do regular triage for nominations. The rating is high enough to be considered so we will look at it during our weekly meeting.
Created attachment 624291 [details]
netfuzzerr@gmail.com,3000,,,,true, [paid] 20120523
(Assignee)

Updated

6 years ago
Summary: DOM Based Cross Site Scripting on enter_bug.cgi. → DOM Based Cross Site Scripting on enter_bug.cgi with the Guided Bug Entry format
(Assignee)

Comment 12

6 years ago
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.0/
modified extensions/GuidedBugEntry/web/js/guided.js
Committed revision 8181.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/GuidedBugEntry/web/js/guided.js
Committed revision 8161.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 13

6 years ago
deployed; removing security restrictions from this bug.
Group: bugzilla-security
(Reporter)

Comment 14

6 years ago
Thanks a lot!

(In reply to Al Billings [:abillings] from comment #11)
> Created attachment 624291 [details]
> Web Bounty Awarded $3000

Updated

6 years ago
Blocks: 835424
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.