The default bug view has changed. See this FAQ.

Tags should be escaped in the auto-complete form

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
User Interface
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: x, Assigned: reed)

Tracking

Bugzilla 4.0
Bug Flags:
approval +
approval4.2 +
approval4.0 +

Details

(Whiteboard: [infrasec:xss][ws:low])

Attachments

(3 attachments)

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.3 Safari/536.11

Steps to reproduce:

Hello,

There is a Persistent Cross Site Scripting Vulnerability on "Tag" field. The flaw allows attackers to steal cookies and do phising attacks.

Reproduce:
1. Log on bugzilla landfill.
2. Go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=18058.
3. On "Tags" field add ","(this is necessary to active the autocomplete and make the xss).
4. See the alert.

Vulnerable Code
================
Dont escape the variable  YAHOO.bugzilla.field_array["tag"] that will be posted on autocomplete field.
--------------
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         YAHOO.bugzilla.field_array["tag"] = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
       </script>
--------------
===============

Cheers,
Mario.
Patch
==========
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         data = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
 escapeData = new Array();
 for( var sel in data) escapeData.push(data[sel].replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;"));
         YAHOO.bugzilla.field_array["tag"] = escapeData;
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
</script>
(Assignee)

Updated

5 years ago
Assignee: general → ui
Severity: normal → major
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → User Interface
Ever confirmed: true
Priority: -- → P1
Whiteboard: [infrasec:xss][ws:high]
Target Milestone: --- → Bugzilla 4.4
(Assignee)

Updated

5 years ago
Depends on: 616191
(Assignee)

Comment 2

5 years ago
Created attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

I think this will work...
Assignee: ui → reed
Status: NEW → ASSIGNED
Attachment #623452 - Flags: review?(LpSolit)

Comment 3

5 years ago
Mario, what are the exact tags you entered? Tags are per user, and so the attacker cannot attack anyone except himself. So that's neither a security bug nor a major one. Clearing the status whiteboard as well as the decision was certainly overestimated.
Group: bugzilla-security
Severity: major → normal
Summary: Persistent Cross Site Scripting(XSS) on Tags Bug Field. → Tags should be escaped in the auto-complete form
Whiteboard: [infrasec:xss][ws:high]
Version: unspecified → 4.3
Nop, I have tested with outher accout and the xss works.
(Assignee)

Comment 5

5 years ago
I was only able to reproduce this on a per-user basis, but it's definitely a bug. The attached patch was tested on a landfill instance, and it seemed to work fine.
Priority: P1 → --
Whiteboard: [infrasec:xss][ws:low]
Mario: can you explain more about how user A can XSS user B? When does user B get to see user A's tags?

Gerv
Ah, I can't reproduce this(testing with a third account dont works). :(

Anyway, using the old attachments bug (bug 728892) can do this works on a exploration vector.

(In reply to Gervase Markham [:gerv] from comment #6)
> Mario: can you explain more about how user A can XSS user B? When does user
> B get to see user A's tags?
> 
> Gerv

Comment 8

5 years ago
Comment on attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

r=LpSolit
Attachment #623452 - Flags: review?(LpSolit) → review+

Updated

5 years ago
Flags: approval+
(Assignee)

Comment 9

5 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified js/field.js
Committed revision 8231.

We could probably backport this to older branches as well, though it will only affect keywords since tags don't exist there. Thoughts?
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 10

5 years ago
(In reply to Reed Loden [:reed] (very busy) from comment #9)
> We could probably backport this to older branches as well, though it will
> only affect keywords since tags don't exist there. Thoughts?

Probably a good idea as someone with editkeywords privs could use the same trick to do XSS (but this is not exactly a security bug as someone with editkeywords privs should be considered as a trusted user).
(Assignee)

Comment 11

5 years ago
Created attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

4.2-only patch.
Attachment #627508 - Flags: review?(LpSolit)
(Assignee)

Updated

5 years ago
Attachment #623452 - Attachment description: patch - v1 → patch - v1 (trunk)
(Assignee)

Comment 12

5 years ago
Created attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)
Attachment #627511 - Flags: review?(LpSolit)
(Assignee)

Comment 13

5 years ago
3.6 doesn't have any of the YUI-type code, so I think we're good there.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.0

Comment 14

5 years ago
Comment on attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

r=LpSolit
Attachment #627508 - Flags: review?(LpSolit) → review+

Comment 15

5 years ago
Comment on attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)

r=LpSolit
Attachment #627511 - Flags: review?(LpSolit) → review+

Updated

5 years ago
Flags: approval4.2+
Flags: approval4.0+
(Assignee)

Comment 16

5 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified js/field.js
Committed revision 8091.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified js/field.js
Committed revision 7710.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.