Closed Bug 754561 Opened 13 years ago Closed 13 years ago

Tags should be escaped in the auto-complete form

Categories

(Bugzilla :: User Interface, defect)

Product:
Bugzilla
Component:
User Interface
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.0

People

(Reporter: netfuzzerr, Assigned: reed)

References

Details

(Whiteboard: [infrasec:xss][ws:low])

Attachments

(3 files)

patch - v1 (trunk)
540 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
patch - v1 (4.2 branch)
542 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
patch - v1 (4.0 branch)
891 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.3 Safari/536.11 Steps to reproduce: Hello, There is a Persistent Cross Site Scripting Vulnerability on "Tag" field. The flaw allows attackers to steal cookies and do phising attacks. Reproduce: 1. Log on bugzilla landfill. 2. Go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=18058. 3. On "Tags" field add ","(this is necessary to active the autocomplete and make the xss). 4. See the alert. Vulnerable Code ================ Dont escape the variable YAHOO.bugzilla.field_array["tag"] that will be posted on autocomplete field. -------------- <script type="text/javascript" defer="defer"> if (typeof YAHOO.bugzilla.field_array === "undefined") YAHOO.bugzilla.field_array = []; YAHOO.bugzilla.field_array["tag"] = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"]; YAHOO.bugzilla.fieldAutocomplete.init('tag', 'tag_autocomplete'); </script> -------------- =============== Cheers, Mario.
Patch ========== <script type="text/javascript" defer="defer"> if (typeof YAHOO.bugzilla.field_array === "undefined") YAHOO.bugzilla.field_array = []; data = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"]; escapeData = new Array(); for( var sel in data) escapeData.push(data[sel].replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;")); YAHOO.bugzilla.field_array["tag"] = escapeData; YAHOO.bugzilla.fieldAutocomplete.init('tag', 'tag_autocomplete'); </script>
Assignee: general → ui
Severity: normal → major
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → User Interface
Ever confirmed: true
Priority: -- → P1
Whiteboard: [infrasec:xss][ws:high]
Target Milestone: --- → Bugzilla 4.4
Depends on: 616191
I think this will work...
Assignee: ui → reed
Status: NEW → ASSIGNED
Attachment #623452 - Flags: review?(LpSolit)
Mario, what are the exact tags you entered? Tags are per user, and so the attacker cannot attack anyone except himself. So that's neither a security bug nor a major one. Clearing the status whiteboard as well as the decision was certainly overestimated.
Group: bugzilla-security
Severity: major → normal
Summary: Persistent Cross Site Scripting(XSS) on Tags Bug Field. → Tags should be escaped in the auto-complete form
Whiteboard: [infrasec:xss][ws:high]
Version: unspecified → 4.3
Nop, I have tested with outher accout and the xss works.
I was only able to reproduce this on a per-user basis, but it's definitely a bug. The attached patch was tested on a landfill instance, and it seemed to work fine.
Priority: P1 → --
Whiteboard: [infrasec:xss][ws:low]
Mario: can you explain more about how user A can XSS user B? When does user B get to see user A's tags? Gerv
Ah, I can't reproduce this(testing with a third account dont works). :( Anyway, using the old attachments bug (bug 728892) can do this works on a exploration vector. (In reply to Gervase Markham [:gerv] from comment #6) > Mario: can you explain more about how user A can XSS user B? When does user > B get to see user A's tags? > > Gerv
Comment on attachment 623452 [details] [diff] [review] patch - v1 (trunk) r=LpSolit
Attachment #623452 - Flags: review?(LpSolit) → review+
Flags: approval+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified js/field.js Committed revision 8231. We could probably backport this to older branches as well, though it will only affect keywords since tags don't exist there. Thoughts?
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
(In reply to Reed Loden [:reed] (very busy) from comment #9) > We could probably backport this to older branches as well, though it will > only affect keywords since tags don't exist there. Thoughts? Probably a good idea as someone with editkeywords privs could use the same trick to do XSS (but this is not exactly a security bug as someone with editkeywords privs should be considered as a trusted user).
4.2-only patch.
Attachment #627508 - Flags: review?(LpSolit)
Attachment #623452 - Attachment description: patch - v1 → patch - v1 (trunk)
Attachment #627511 - Flags: review?(LpSolit)
3.6 doesn't have any of the YUI-type code, so I think we're good there.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: Bugzilla 4.4 → Bugzilla 4.0
Comment on attachment 627508 [details] [diff] [review] patch - v1 (4.2 branch) r=LpSolit
Attachment #627508 - Flags: review?(LpSolit) → review+
Comment on attachment 627511 [details] [diff] [review] patch - v1 (4.0 branch) r=LpSolit
Attachment #627511 - Flags: review?(LpSolit) → review+
Flags: approval4.2+
Flags: approval4.0+
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/ modified js/field.js Committed revision 8091. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified js/field.js Committed revision 7710.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: