Closed
Bug 785917
Opened 12 years ago
Closed 12 years ago
Custom field descriptions are not properly escaped when displayed as bug list column headers
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: insecurity.ro, Assigned: LpSolit)
Details
Attachments
(1 file, 1 obsolete file)
1.32 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: Hello again) Actual results: PoC later. If it's new - ok i put PoC later. See here: https://1zxl51jv7q3c.demo.bugzilla.org/ https://1zxl51jv7q3c.demo.bugzilla.org/buglist.cgi?list_id=64814&query_format=advanced&tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&query_based_on=&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad It's work only use login and password. My admin login (on demo site): insecurity.ro@gmail.com Password: 1a2a3a
bugzilla.mozilla.org isn't running bugzilla 4.2. the url provided doesn't trigger a xss. please attach proof of concepts or a full description of the issue when reporting issues.
Assignee: nobody → query-and-buglist
Component: General → Query/Bug List
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2
Updated•12 years ago
|
Version: 4.2 → 4.2.2
You use login with password? It's work only with login and password. And browser mozilla firefox without plugins. Ok, PoC later.
Comment 3•12 years ago
|
||
I can confirm this. <a href="buglist.cgi?columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad&list_id=64814&query_format=advanced&tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&order=cf_frad%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_based_on=">></script><script>alert("4")</script></a>
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•12 years ago
|
||
Please still attach a working PoC, but at least I see where the issue is (just not the cause yet).
Comment 5•12 years ago
|
||
template/en/default/list/list.html.tmpl [% urlquerypart FILTER html %]&query_based_on= [% defaultsavename OR searchname FILTER uri %]">Change Columns</a> | Possibly looks like defaultsavename isn't getting the |FILTER uri| applied to it.
Comment 6•12 years ago
|
||
Actually, this is probably in template/en/default/list/table.html.tmpl instead...
Yes, it's not in url. I forgot when i put xss code (in another fields) and later i maybe put PoC, but i see you put your PoC and it's true. But interesting idea, maybe i can find another things.
Assignee | ||
Comment 8•12 years ago
|
||
The problem is the content of the description of the custom field.
Summary: bugzilla 4.2.2 xss url buglist.cgi → Custom field descriptions are not filtered in buglists
Updated•12 years ago
|
Flags: blocking4.4?
Flags: blocking4.2.3?
Summary: Custom field descriptions are not filtered in buglists → [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers
Assignee | ||
Comment 9•12 years ago
|
||
Assignee: query-and-buglist → LpSolit
Attachment #655618 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #655642 -
Flags: review?(glob)
Comment 10•12 years ago
|
||
Comment on attachment 655642 [details] [diff] [review] patch, v1 r=glob
Attachment #655642 -
Flags: review?(glob) → review+
Assignee | ||
Comment 11•12 years ago
|
||
We don't consider XSS which can be created by admins only as a security issue, so removing the sec flag. We will take this patch for older branches as this problem may break the UI, though. Thanks for finding this bug, Sony! :)
Group: bugzilla-security
Flags: blocking4.4?
Flags: blocking4.4+
Flags: blocking4.2.3?
Flags: blocking4.2.3+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Summary: [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers → Custom field descriptions are not properly escaped when displayed as bug list column headers
Target Milestone: --- → Bugzilla 3.6
Assignee | ||
Comment 12•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified template/en/default/filterexceptions.pl modified template/en/default/list/table.html.tmpl Committed revision 8358. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified template/en/default/filterexceptions.pl modified template/en/default/list/table.html.tmpl Committed revision 8123. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified template/en/default/filterexceptions.pl modified template/en/default/list/table.html.tmpl Committed revision 7718. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/ modified template/en/default/filterexceptions.pl modified template/en/default/list/table.html.tmpl Committed revision 7295.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 13•12 years ago
|
||
ok, good:)
Comment 14•12 years ago
|
||
Comment on attachment 655642 [details] [diff] [review] patch, v1 >Index: template/en/default/list/table.html.tmpl >=================================================================== >RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/table.html.tmpl,v >retrieving revision 1.65 >diff -p -u -r1.65 table.html.tmpl >--- template/en/default/list/table.html.tmpl 26 Feb 2012 00:01:34 -0000 1.65 >+++ template/en/default/list/table.html.tmpl 27 Aug 2012 17:39:27 -0000 >@@ -119,7 +119,7 @@ > [% PROCESS new_order %] > [%-#%]&amp;query_based_on= > [% defaultsavename OR searchname FILTER uri %]"> >- [%- abbrev.$id.title || field_descs.$id || column.title -%] >+ [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%] > [% PROCESS order_arrow ~%] > </a> > </th> >Index: template/en/default/filterexceptions.pl >=================================================================== >RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v >retrieving revision 1.151 >diff -p -u -r1.151 filterexceptions.pl >--- template/en/default/filterexceptions.pl 12 Aug 2012 10:30:43 -0000 1.151 >+++ template/en/default/filterexceptions.pl 27 Aug 2012 17:39:27 -0000 >@@ -138,7 +138,6 @@ > 'list/table.html.tmpl' => [ > 'tableheader', > 'bug.bug_id', >- 'abbrev.$id.title || field_descs.$id || column.title', > ], > > 'list/list.csv.tmpl' => [
You need to log in
before you can comment on or make changes to this bug.
Description
•