Last Comment Bug 754561 - Tags should be escaped in the auto-complete form
: Tags should be escaped in the auto-complete form
Status: RESOLVED FIXED
[infrasec:xss][ws:low]
:
Product: Bugzilla
Classification: Server Software
Component: User Interface (show other bugs)
: 4.3
: All All
: -- normal (vote)
: Bugzilla 4.0
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
:
Mentors:
Depends on: 616191
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-12 05:14 PDT by Mario Gomes
Modified: 2012-05-29 07:47 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: approval4.0+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (trunk) (540 bytes, patch)
2012-05-12 13:18 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review
patch - v1 (4.2 branch) (542 bytes, patch)
2012-05-26 14:10 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review
patch - v1 (4.0 branch) (891 bytes, patch)
2012-05-26 14:23 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Splinter Review

Description Mario Gomes 2012-05-12 05:14:30 PDT
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.3 Safari/536.11

Steps to reproduce:

Hello,

There is a Persistent Cross Site Scripting Vulnerability on "Tag" field. The flaw allows attackers to steal cookies and do phising attacks.

Reproduce:
1. Log on bugzilla landfill.
2. Go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=18058.
3. On "Tags" field add ","(this is necessary to active the autocomplete and make the xss).
4. See the alert.

Vulnerable Code
================
Dont escape the variable  YAHOO.bugzilla.field_array["tag"] that will be posted on autocomplete field.
--------------
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         YAHOO.bugzilla.field_array["tag"] = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
       </script>
--------------
===============

Cheers,
Mario.
Comment 1 Mario Gomes 2012-05-12 06:48:08 PDT
Patch
==========
<script type="text/javascript" defer="defer">
         if (typeof YAHOO.bugzilla.field_array === "undefined")
           YAHOO.bugzilla.field_array = [];
         data = ["\x3cscript\x3ealert(1)\x3c\/script\x3e","\x3ciframe\/src=javascript:alert(\'xss\')\x3eaa\x3c\/iframe\x3e","\x3cmarquee\x3eaaaaaaaaaaaaaaa\x3c\/marquee\x3e"];
 escapeData = new Array();
 for( var sel in data) escapeData.push(data[sel].replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;"));
         YAHOO.bugzilla.field_array["tag"] = escapeData;
         YAHOO.bugzilla.fieldAutocomplete.init('tag',
                                               'tag_autocomplete');
</script>
Comment 2 Reed Loden [:reed] (use needinfo?) 2012-05-12 13:18:43 PDT
Created attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

I think this will work...
Comment 3 Frédéric Buclin 2012-05-13 15:51:11 PDT
Mario, what are the exact tags you entered? Tags are per user, and so the attacker cannot attack anyone except himself. So that's neither a security bug nor a major one. Clearing the status whiteboard as well as the decision was certainly overestimated.
Comment 4 Mario Gomes 2012-05-13 15:52:38 PDT
Nop, I have tested with outher accout and the xss works.
Comment 5 Reed Loden [:reed] (use needinfo?) 2012-05-13 15:57:45 PDT
I was only able to reproduce this on a per-user basis, but it's definitely a bug. The attached patch was tested on a landfill instance, and it seemed to work fine.
Comment 6 Gervase Markham [:gerv] 2012-05-14 01:29:12 PDT
Mario: can you explain more about how user A can XSS user B? When does user B get to see user A's tags?

Gerv
Comment 7 Mario Gomes 2012-05-14 02:55:07 PDT
Ah, I can't reproduce this(testing with a third account dont works). :(

Anyway, using the old attachments bug (bug 728892) can do this works on a exploration vector.

(In reply to Gervase Markham [:gerv] from comment #6)
> Mario: can you explain more about how user A can XSS user B? When does user
> B get to see user A's tags?
> 
> Gerv
Comment 8 Frédéric Buclin 2012-05-17 16:26:04 PDT
Comment on attachment 623452 [details] [diff] [review]
patch - v1 (trunk)

r=LpSolit
Comment 9 Reed Loden [:reed] (use needinfo?) 2012-05-17 16:30:19 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified js/field.js
Committed revision 8231.

We could probably backport this to older branches as well, though it will only affect keywords since tags don't exist there. Thoughts?
Comment 10 Frédéric Buclin 2012-05-17 16:34:44 PDT
(In reply to Reed Loden [:reed] (very busy) from comment #9)
> We could probably backport this to older branches as well, though it will
> only affect keywords since tags don't exist there. Thoughts?

Probably a good idea as someone with editkeywords privs could use the same trick to do XSS (but this is not exactly a security bug as someone with editkeywords privs should be considered as a trusted user).
Comment 11 Reed Loden [:reed] (use needinfo?) 2012-05-26 14:10:05 PDT
Created attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

4.2-only patch.
Comment 12 Reed Loden [:reed] (use needinfo?) 2012-05-26 14:23:59 PDT
Created attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)
Comment 13 Reed Loden [:reed] (use needinfo?) 2012-05-26 14:25:09 PDT
3.6 doesn't have any of the YUI-type code, so I think we're good there.
Comment 14 Frédéric Buclin 2012-05-29 04:14:50 PDT
Comment on attachment 627508 [details] [diff] [review]
patch - v1 (4.2 branch)

r=LpSolit
Comment 15 Frédéric Buclin 2012-05-29 04:31:25 PDT
Comment on attachment 627511 [details] [diff] [review]
patch - v1 (4.0 branch)

r=LpSolit
Comment 16 Reed Loden [:reed] (use needinfo?) 2012-05-29 07:47:12 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified js/field.js
Committed revision 8091.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified js/field.js
Committed revision 7710.

Note You need to log in before you can comment on or make changes to this bug.