As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 754561 - Tags should be escaped in the auto-complete form
: Tags should be escaped in the auto-complete form
Status: RESOLVED FIXED
[infrasec:xss][ws:low]
:
Product: Bugzilla
Classification: Server Software
Component: User Interface (show other bugs)
: 4.3
: All All
: -- normal (vote)
: Bugzilla 4.0
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
:
Mentors:
Depends on: 616191
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-12 05:14 PDT by Mario Gomes
Modified: 2012-05-29 07:47 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: approval4.0+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (trunk) (540 bytes, patch)
2012-05-12 13:18 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review
patch - v1 (4.2 branch) (542 bytes, patch)
2012-05-26 14:10 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review
patch - v1 (4.0 branch) (891 bytes, patch)
2012-05-26 14:23 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review

Description User image Mario Gomes 2012-05-12 05:14:30 PDT
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.3 Safari/536.11

Steps to reproduce:

Hello,

There is a Persistent Cross Site Scripting Vulnerability on "Tag" field. The flaw allows attackers to steal cookies and do phising attacks.

Reproduce:
1. Log on bugzilla landfill.
2. Go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=18058.
3. On "Tags" field add ","(this is necessary to active the autocomplete and make the xss).
4. See the alert.

Vulnerable Code
================
Dont escape the variable  YAHOO.bugzilla.field_array["tag"] that will be posted on autocomplete field.
--------------
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         YAHOO.bugzilla.field_array["tag"] = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
       </script>
--------------
===============

Cheers,
Mario.
Comment 1 User image Mario Gomes 2012-05-12 06:48:08 PDT
Patch
==========
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         data = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
 escapeData = new Array();
 for( var sel in data) escapeData.push(data[sel].replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;"));
         YAHOO.bugzilla.field_array["tag"] = escapeData;
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
</script>
Comment 2 User image Reed Loden [:reed] (use needinfo?) 2012-05-12 13:18:43 PDT
Created attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

I think this will work...
Comment 3 User image Frédéric Buclin 2012-05-13 15:51:11 PDT
Mario, what are the exact tags you entered? Tags are per user, and so the attacker cannot attack anyone except himself. So that's neither a security bug nor a major one. Clearing the status whiteboard as well as the decision was certainly overestimated.
Comment 4 User image Mario Gomes 2012-05-13 15:52:38 PDT
Nop, I have tested with outher accout and the xss works.
Comment 5 User image Reed Loden [:reed] (use needinfo?) 2012-05-13 15:57:45 PDT
I was only able to reproduce this on a per-user basis, but it's definitely a bug. The attached patch was tested on a landfill instance, and it seemed to work fine.
Comment 6 User image Gervase Markham [:gerv] 2012-05-14 01:29:12 PDT
Mario: can you explain more about how user A can XSS user B? When does user B get to see user A's tags?

Gerv
Comment 7 User image Mario Gomes 2012-05-14 02:55:07 PDT
Ah, I can't reproduce this(testing with a third account dont works). :(

Anyway, using the old attachments bug (bug 728892) can do this works on a exploration vector.

(In reply to Gervase Markham [:gerv] from comment #6)
> Mario: can you explain more about how user A can XSS user B? When does user
> B get to see user A's tags?
> 
> Gerv
Comment 8 User image Frédéric Buclin 2012-05-17 16:26:04 PDT
Comment on attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

r=LpSolit
Comment 9 User image Reed Loden [:reed] (use needinfo?) 2012-05-17 16:30:19 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified js/field.js
Committed revision 8231.

We could probably backport this to older branches as well, though it will only affect keywords since tags don't exist there. Thoughts?
Comment 10 User image Frédéric Buclin 2012-05-17 16:34:44 PDT
(In reply to Reed Loden [:reed] (very busy) from comment #9)
> We could probably backport this to older branches as well, though it will
> only affect keywords since tags don't exist there. Thoughts?

Probably a good idea as someone with editkeywords privs could use the same trick to do XSS (but this is not exactly a security bug as someone with editkeywords privs should be considered as a trusted user).
Comment 11 User image Reed Loden [:reed] (use needinfo?) 2012-05-26 14:10:05 PDT
Created attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

4.2-only patch.
Comment 12 User image Reed Loden [:reed] (use needinfo?) 2012-05-26 14:23:59 PDT
Created attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)
Comment 13 User image Reed Loden [:reed] (use needinfo?) 2012-05-26 14:25:09 PDT
3.6 doesn't have any of the YUI-type code, so I think we're good there.
Comment 14 User image Frédéric Buclin 2012-05-29 04:14:50 PDT
Comment on attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

r=LpSolit
Comment 15 User image Frédéric Buclin 2012-05-29 04:31:25 PDT
Comment on attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)

r=LpSolit
Comment 16 User image Reed Loden [:reed] (use needinfo?) 2012-05-29 07:47:12 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified js/field.js
Committed revision 8091.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified js/field.js
Committed revision 7710.

Note You need to log in before you can comment on or make changes to this bug.