Closed Bug 765430 Opened 13 years ago Closed 11 years ago

XSS in jsonrpc.cgi on IE6/7

Categories

(Bugzilla :: WebService, defect)

Product:
Bugzilla
Component:
WebService
Version:
4.3.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: netfuzzerr, Unassigned)

Details

Attachments

(3 files, 1 obsolete file)

Screenshot of XSS on IE6.
49.69 KB, image/png
Details
screenshot - IE6
55.73 KB, image/png
Details
Screenshot on IE7(win xp).
62.20 KB, image/png
Details
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1171.0 Safari/537.1 Steps to reproduce: Hi, Bugzilla does not escape bad chars on json response. This can allow xss attacks on IE. PoC: https://landfill.bugzilla.org/bugzilla-tip/jsonrpc.cgi/?method=User.get&params="<iframe%20onload=alert('XSS')>":"aa"&a.html Tested on IE 6. Patch this is convert dangerous to javascript. Cheers, Mario.
This sounds like big fail on IE's part (especially with regards to the ending ".html" causing it to render. Not sure we can (or want to) do much here. http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html has more detail.
So, will you ignore it? This is not exploitable on IE8+ due to header X-content-type-options:nosniff. But still exploitable on IE6/7. Patch it is just replace "<" to "\u003c", ">" to "\u003e" and "&" to "\u0026". This is not the first time that this happens, you already patched a similar flaw on bug 637981. So, why ignore it?
I cannot reproduce the XSS attack, because the page is downloaded locally before being opened, and so you cannot do any harm. I also had to write jsonrpc.cgi? instead of jsonrpc.cgi/? else IE doesn't recognize "jsonrpc" at all. Note that the whole error message is: Could not parse the 'params' argument as valid JSON. Error: garbage after JSON object, at character offset 30 (before \":\"aa\"\") at Bugzilla/WebService/Server/JSONRPC.pm line 155. at Bugzilla/WebService/Server/JSONRPC.pm line 155 eval {...} called at Bugzilla/WebService/Server/JSONRPC.pm line 154 Bugzilla::WebService::Server::JSONRPC::retrieve_json_from_get('Bugzilla::WebService::Server::JSONRPC=HASH(0xa59b320)') called at /usr/lib/perl5/vendor_perl/5.14.2/JSON/RPC/Legacy/Server.pm line 110 JSON::RPC::Legacy::Server::handle('Bugzilla::WebService::Server::JSONRPC=HASH(0xa59b320)') called at /var/www/html/bugzilla/jsonrpc.cgi line 27
Assignee: general → webservice
Component: Bugzilla-General → WebService
Version: unspecified → 4.3.1
I got it on chrome. {"error":{"message":"Could not parse the 'params' argument as valid JSON. Error: Value: \"<iframe onload=alert('XSS')>\":\"aa\"","code":32000},"id":"https://landfill.bugzilla.org/bugzilla-tip/","result":null}
What version have you tested? (In reply to Frédéric Buclin from comment #3) > I cannot reproduce the XSS attack, because the page is downloaded locally > before being opened, and so you cannot do any harm. I also had to write > jsonrpc.cgi? instead of jsonrpc.cgi/? else IE doesn't recognize "jsonrpc" at > all. > > > Note that the whole error message is: > > Could not parse the 'params' argument as valid JSON. Error: garbage after > JSON object, at character offset 30 (before \":\"aa\"\") at > Bugzilla/WebService/Server/JSONRPC.pm line 155. at > Bugzilla/WebService/Server/JSONRPC.pm line 155 eval {...} called at > Bugzilla/WebService/Server/JSONRPC.pm line 154 > Bugzilla::WebService::Server::JSONRPC::retrieve_json_from_get('Bugzilla:: > WebService::Server::JSONRPC=HASH(0xa59b320)') called at > /usr/lib/perl5/vendor_perl/5.14.2/JSON/RPC/Legacy/Server.pm line 110 > JSON::RPC::Legacy::Server::handle('Bugzilla::WebService::Server:: > JSONRPC=HASH(0xa59b320)') called at /var/www/html/bugzilla/jsonrpc.cgi line > 27
(In reply to Mario Gomes from comment #6) > What version have you tested? IE6 and IE9.
As I told before this works only on IE6/7(in this version there is no X-content-type-options). (In reply to Frédéric Buclin from comment #7) > (In reply to Mario Gomes from comment #6) > > What version have you tested? > > IE6 and IE9.
Summary: XSS on jsonrpc is possible on IE. → XSS on jsonrpc is possible on IE6/7.
As I told before this works only on IE6/7(in this version there is no X-content-type-options). (In reply to Frédéric Buclin from comment #7) > (In reply to Mario Gomes from comment #6) > > What version have you tested? > > IE6 and IE9.
URL: https://bugzilla.mozilla.org/attachme...
The URL that reed posted in comment 1 shows that all versions of IE are affected, not only IE6 and 7. And in comment 7, I mentioned IE6.
Sure, this could be explored in all IE versions, but since Bugzilla uses X-content-type-options this is not possible on IE8/9/10. (In reply to Frédéric Buclin from comment #10) > The URL that reed posted in comment 1 shows that all versions of IE are > affected, not only IE6 and 7. And in comment 7, I mentioned IE6.
I don't know how your IE browser is configured, but both IE6 and IE9 first download the HTML page locally before opening it, which means that the iframe is executed locally and so is not exploitable. If this is the default behavior, then this means you deactivated some security restrictions. Do you have a real PoC which works rather than the harmless alert('XSS') popup?
Attached file jscod.js (obsolete) —
Attachment #634136 - Attachment is obsolete: true
Attachment #634136 - Attachment mime type: application/octet-stream → text/javascript
Someone here is able to trigger it? Try it: https://landfill.bugzilla.org/bugzilla-tip/jsonrpc.cgi/.html?method=User.get&params="<script>alert(location.href)</script>":"aa"
@Byron, Reed: Are you able to reproduce it?
(In reply to Mario Gomes from comment #14) > Someone here is able to trigger it? > > Try it: > https://landfill.bugzilla.org/bugzilla-tip/jsonrpc.cgi/.html?method=User. > get&params="<script>alert(location.href)</script>":"aa" IE6 complains that it cannot download "aa". Looks like this PoC doesn't work either.
Can you attach a screenshot? I really don't undestand why you cannot reproduce it, I can do it easy. (In reply to Frédéric Buclin from comment #16) > (In reply to Mario Gomes from comment #14) > > Someone here is able to trigger it? > > > > Try it: > > https://landfill.bugzilla.org/bugzilla-tip/jsonrpc.cgi/.html?method=User. > > get&params="<script>alert(location.href)</script>":"aa" > > IE6 complains that it cannot download "aa". Looks like this PoC doesn't work > either.
Attached image screenshot - IE6
IE 6 is unable to download anything.
That's Strange, I keep be able to reproduce. Is there someone else that got this problem too? (In reply to Frédéric Buclin from comment #18) > Created attachment 634498 [details] > screenshot - IE6 > > IE 6 is unable to download anything.
Frederic, look this screenshot on IE7.
Attachment #633802 - Attachment mime type: image/png → image/png; charset=utf-7
(In reply to Mario Gomes from comment #20) > Frederic, look this screenshot on IE7. I don't see how this is related to this bug. You are just trying to abuse IE7 using a well-known trick. IE8 and newer are no longer vulnerable to this problem. Also, please don't use bmo for your tests. You generate bugmails uselessly.
I'm justing trying show that I can reproduce this bug(that does not seems to be taken seriously) on IE7 with default config.
Frederic, can you explain what's the difference of https://landfill.bugzilla.org/bugzilla-tip/ for https://landfill.bugzilla.org/bugzilla-4.2-branch/?. Vulnerabilities found in this channel is valid like on https://landfill.bugzilla.org/bugzilla-tip/?
Long time, no fix. Nobody will fix this? And can this be eligible for a bounty? ;)
Closing... bug ignored...
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Seems like the patch in bug 243764 may "fix" this on trunk... Can somebody confirm?
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Just a tip, you can fix this by adding "Content-Disposition: attachment", it'll not allow the page be view directly by browser.
Summary: XSS on jsonrpc is possible on IE6/7. → %PDF-1.5trailer<</Root<</Pages<<>>/OpenAction<</S/JavaScript/JS(app.alert({cMsg:this.path});)>>>>>>%%EOF
Summary: %PDF-1.5trailer<</Root<</Pages<<>>/OpenAction<</S/JavaScript/JS(app.alert({cMsg:this.path});)>>>>>>%%EOF → XSS in jsonrpcg.cgi on IE6/7
I already asked you to stop playing with bmo. Use landfill for your tests.
Summary: XSS in jsonrpcg.cgi on IE6/7 → XSS in jsonrpc.cgi on IE6/7
Attachment #633802 - Attachment mime type: image/png; charset=utf-7 → image/png
Summary: XSS in jsonrpc.cgi on IE6/7 → XSS in jsonrpc.cgi on IE6/7(payload: "'></title><img src=x onerror=confirm(2);>)
Summary: XSS in jsonrpc.cgi on IE6/7(payload: "'></title><img src=x onerror=confirm(2);>) → XSS in jsonrpc.cgi on IE6/7
Doesn't work anymore.
Status: REOPENED → RESOLVED
Closed: 13 years ago11 years ago
Resolution: --- → INVALID
IE 6 and 7 are no longer supported, and the reporter says this issue no longer works.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: