The default bug view has changed. See this FAQ.

Custom field descriptions are not properly escaped when displayed as bug list column headers

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Query/Bug List
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Sony, Assigned: Frédéric Buclin)

Tracking

4.2.2
Bugzilla 3.6
Bug Flags:
approval +
blocking4.4 +
approval4.2 +
blocking4.2.3 +
approval4.0 +
approval3.6 +

Details

Attachments

(1 attachment, 1 obsolete attachment)

1.32 KB, patch
glob
: review+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
Created attachment 655618 [details]
456.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Hello again)




Actual results:

PoC later. If it's new - ok i put PoC later.

See here:

https://1zxl51jv7q3c.demo.bugzilla.org/

https://1zxl51jv7q3c.demo.bugzilla.org/buglist.cgi?list_id=64814&query_format=advanced&tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&query_based_on=&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad

It's work only use login and password.

My admin login (on demo site): insecurity.ro@gmail.com

Password: 1a2a3a
bugzilla.mozilla.org isn't running bugzilla 4.2.

the url provided doesn't trigger a xss.
please attach proof of concepts or a full description of the issue when reporting issues.
Assignee: nobody → query-and-buglist
Component: General → Query/Bug List
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2
Version: 4.2 → 4.2.2
(Reporter)

Comment 2

5 years ago
You use login with password? It's work only with login and password. And browser mozilla firefox without plugins.

Ok, PoC later.
I can confirm this.

    <a href="buglist.cgi?columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad&amp;list_id=64814&amp;query_format=advanced&amp;tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&amp;order=cf_frad%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&amp;query_based_on=">></script><script>alert("4")</script></a>
Status: UNCONFIRMED → NEW
Ever confirmed: true
Please still attach a working PoC, but at least I see where the issue is (just not the cause yet).
template/en/default/list/list.html.tmpl
        [% urlquerypart FILTER html %]&amp;query_based_on=
          [% defaultsavename OR searchname FILTER uri %]">Change&nbsp;Columns</a> |

Possibly looks like defaultsavename isn't getting the |FILTER uri| applied to it.
Actually, this is probably in template/en/default/list/table.html.tmpl instead...
(Reporter)

Comment 7

5 years ago
Yes, it's not in url. I forgot when i put xss code (in another fields) and later i maybe put PoC, but i see you put your PoC and it's true. But interesting idea, maybe i can find another things.
(Assignee)

Comment 8

5 years ago
The problem is the content of the description of the custom field.
Summary: bugzilla 4.2.2 xss url buglist.cgi → Custom field descriptions are not filtered in buglists
Flags: blocking4.4?
Flags: blocking4.2.3?
Summary: Custom field descriptions are not filtered in buglists → [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers
(Assignee)

Comment 9

5 years ago
Created attachment 655642 [details] [diff] [review]
patch, v1
Assignee: query-and-buglist → LpSolit
Attachment #655618 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #655642 - Flags: review?(glob)
Comment on attachment 655642 [details] [diff] [review]
patch, v1

r=glob
Attachment #655642 - Flags: review?(glob) → review+
(Assignee)

Comment 11

5 years ago
We don't consider XSS which can be created by admins only as a security issue, so removing the sec flag. We will take this patch for older branches as this problem may break the UI, though. Thanks for finding this bug, Sony! :)
Group: bugzilla-security
Flags: blocking4.4?
Flags: blocking4.4+
Flags: blocking4.2.3?
Flags: blocking4.2.3+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Summary: [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers → Custom field descriptions are not properly escaped when displayed as bug list column headers
Target Milestone: --- → Bugzilla 3.6
(Assignee)

Comment 12

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8358.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8123.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7718.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7295.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 13

5 years ago
ok, good:)
Comment on attachment 655642 [details] [diff] [review]
patch, v1

&gt;Index: template/en/default/list/table.html.tmpl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/table.html.tmpl,v
&gt;retrieving revision 1.65
&gt;diff -p -u -r1.65 table.html.tmpl
&gt;--- template/en/default/list/table.html.tmpl	26 Feb 2012 00:01:34 -0000	1.65
&gt;+++ template/en/default/list/table.html.tmpl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -119,7 +119,7 &#64;&#64;
&gt;       [% PROCESS new_order %]
&gt;       [%-#%]&amp;amp;query_based_on=
&gt;       [% defaultsavename OR searchname FILTER uri %]&quot;&gt;
&gt;-        [%- abbrev.$id.title || field_descs.$id || column.title -%]
&gt;+        [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%]
&gt;         [% PROCESS order_arrow ~%]
&gt;     &lt;/a&gt;
&gt;   &lt;/th&gt;
&gt;Index: template/en/default/filterexceptions.pl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v
&gt;retrieving revision 1.151
&gt;diff -p -u -r1.151 filterexceptions.pl
&gt;--- template/en/default/filterexceptions.pl	12 Aug 2012 10:30:43 -0000	1.151
&gt;+++ template/en/default/filterexceptions.pl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -138,7 +138,6 &#64;&#64;
&gt; 'list/table.html.tmpl' =&gt; [
&gt;   'tableheader',
&gt;   'bug.bug_id', 
&gt;-  'abbrev.$id.title || field_descs.$id || column.title',
&gt; ],
&gt; 
&gt; 'list/list.csv.tmpl' =&gt; [
You need to log in before you can comment on or make changes to this bug.