754561 - Tags should be escaped in the auto-complete form

Status: RESOLVED FIXED

(Bugzilla :: User Interface, defect)

Description

[Mario Gomes]

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.3 Safari/536.11

Steps to reproduce:

Hello,

There is a Persistent Cross Site Scripting Vulnerability on "Tag" field. The flaw allows attackers to steal cookies and do phising attacks.

Reproduce:
1. Log on bugzilla landfill.
2. Go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=18058.
3. On "Tags" field add ","(this is necessary to active the autocomplete and make the xss).
4. See the alert.

Vulnerable Code
================
Dont escape the variable  YAHOO.bugzilla.field_array["tag"] that will be posted on autocomplete field.
--------------
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         YAHOO.bugzilla.field_array["tag"] = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
       </script>
--------------
===============

Cheers,
Mario.

Comment 1

[Mario Gomes]

Patch
==========
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         data = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
 escapeData = new Array();
 for( var sel in data) escapeData.push(data[sel].replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;"));
         YAHOO.bugzilla.field_array["tag"] = escapeData;
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
</script>

Comment 2

[Reed Loden [:reed]]

Attachment: patch - v1 (trunk)

I think this will work...

Comment 3

[Frédéric Buclin]

Mario, what are the exact tags you entered? Tags are per user, and so the attacker cannot attack anyone except himself. So that's neither a security bug nor a major one. Clearing the status whiteboard as well as the decision was certainly overestimated.

Comment 4

[Mario Gomes]

Nop, I have tested with outher accout and the xss works.

Comment 5

[Reed Loden [:reed]]

I was only able to reproduce this on a per-user basis, but it's definitely a bug. The attached patch was tested on a landfill instance, and it seemed to work fine.

Comment 6

[Gervase Markham [:gerv]]

Mario: can you explain more about how user A can XSS user B? When does user B get to see user A's tags?

Gerv

Comment 7

[Mario Gomes]

Ah, I can't reproduce this(testing with a third account dont works). :(

Anyway, using the old attachments bug (bug 728892) can do this works on a exploration vector.

(In reply to Gervase Markham [:gerv] from comment #6)
> Mario: can you explain more about how user A can XSS user B? When does user
> B get to see user A's tags?
> 
> Gerv

Comment 8

[Frédéric Buclin]

Comment on attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

r=LpSolit

Comment 9

[Reed Loden [:reed]]

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified js/field.js
Committed revision 8231.

We could probably backport this to older branches as well, though it will only affect keywords since tags don't exist there. Thoughts?

Comment 10

[Frédéric Buclin]

(In reply to Reed Loden [:reed] (very busy) from comment #9)
> We could probably backport this to older branches as well, though it will
> only affect keywords since tags don't exist there. Thoughts?

Probably a good idea as someone with editkeywords privs could use the same trick to do XSS (but this is not exactly a security bug as someone with editkeywords privs should be considered as a trusted user).

Comment 11

[Reed Loden [:reed]]

Attachment: patch - v1 (4.2 branch)

4.2-only patch.

Comment 12

[Reed Loden [:reed]]

Attachment: patch - v1 (4.0 branch)

Comment 13

[Reed Loden [:reed]]

3.6 doesn't have any of the YUI-type code, so I think we're good there.

Comment 14

[Frédéric Buclin]

Comment on attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

r=LpSolit

Comment 15

[Frédéric Buclin]

Comment on attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)

r=LpSolit

Comment 16

[Reed Loden [:reed]]

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified js/field.js
Committed revision 8091.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified js/field.js
Committed revision 7710.