Last Comment Bug 785917 - Custom field descriptions are not properly escaped when displayed as bug list column headers
: Custom field descriptions are not properly escaped when displayed as bug list...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 4.2.2
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-27 09:39 PDT by Sony
Modified: 2012-09-10 09:21 PDT (History)
4 users (show)
LpSolit: approval+
LpSolit: blocking4.4+
LpSolit: approval4.2+
LpSolit: blocking4.2.3+
LpSolit: approval4.0+
LpSolit: approval3.6+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
456.jpg (179.94 KB, image/jpeg)
2012-08-27 09:39 PDT, Sony
no flags Details
patch, v1 (1.32 KB, patch)
2012-08-27 10:40 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review

Description Sony 2012-08-27 09:39:52 PDT
Created attachment 655618 [details]
456.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Hello again)




Actual results:

PoC later. If it's new - ok i put PoC later.

See here:

https://1zxl51jv7q3c.demo.bugzilla.org/

https://1zxl51jv7q3c.demo.bugzilla.org/buglist.cgi?list_id=64814&query_format=advanced&tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&query_based_on=&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad

It's work only use login and password.

My admin login (on demo site): insecurity.ro@gmail.com

Password: 1a2a3a
Comment 1 Byron Jones ‹:glob› 2012-08-27 09:46:07 PDT
bugzilla.mozilla.org isn't running bugzilla 4.2.

the url provided doesn't trigger a xss.
please attach proof of concepts or a full description of the issue when reporting issues.
Comment 2 Sony 2012-08-27 10:16:16 PDT
You use login with password? It's work only with login and password. And browser mozilla firefox without plugins.

Ok, PoC later.
Comment 3 Reed Loden [:reed] (use needinfo?) 2012-08-27 10:16:32 PDT
I can confirm this.

    <a href="buglist.cgi?columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad&amp;list_id=64814&amp;query_format=advanced&amp;tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&amp;order=cf_frad%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&amp;query_based_on=">></script><script>alert("4")</script></a>
Comment 4 Reed Loden [:reed] (use needinfo?) 2012-08-27 10:16:53 PDT
Please still attach a working PoC, but at least I see where the issue is (just not the cause yet).
Comment 5 Reed Loden [:reed] (use needinfo?) 2012-08-27 10:19:31 PDT
template/en/default/list/list.html.tmpl
        [% urlquerypart FILTER html %]&amp;query_based_on=
          [% defaultsavename OR searchname FILTER uri %]">Change&nbsp;Columns</a> |

Possibly looks like defaultsavename isn't getting the |FILTER uri| applied to it.
Comment 6 Reed Loden [:reed] (use needinfo?) 2012-08-27 10:21:16 PDT
Actually, this is probably in template/en/default/list/table.html.tmpl instead...
Comment 7 Sony 2012-08-27 10:24:30 PDT
Yes, it's not in url. I forgot when i put xss code (in another fields) and later i maybe put PoC, but i see you put your PoC and it's true. But interesting idea, maybe i can find another things.
Comment 8 Frédéric Buclin 2012-08-27 10:29:14 PDT
The problem is the content of the description of the custom field.
Comment 9 Frédéric Buclin 2012-08-27 10:40:21 PDT
Created attachment 655642 [details] [diff] [review]
patch, v1
Comment 10 Byron Jones ‹:glob› 2012-08-27 10:46:12 PDT
Comment on attachment 655642 [details] [diff] [review]
patch, v1

r=glob
Comment 11 Frédéric Buclin 2012-08-27 10:49:02 PDT
We don't consider XSS which can be created by admins only as a security issue, so removing the sec flag. We will take this patch for older branches as this problem may break the UI, though. Thanks for finding this bug, Sony! :)
Comment 12 Frédéric Buclin 2012-08-27 11:23:56 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8358.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8123.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7718.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7295.
Comment 13 Sony 2012-08-27 12:44:20 PDT
ok, good:)
Comment 14 <img src=x onerror=prompt(1); > 2012-09-10 09:21:18 PDT
Comment on attachment 655642 [details] [diff] [review]
patch, v1

&gt;Index: template/en/default/list/table.html.tmpl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/table.html.tmpl,v
&gt;retrieving revision 1.65
&gt;diff -p -u -r1.65 table.html.tmpl
&gt;--- template/en/default/list/table.html.tmpl	26 Feb 2012 00:01:34 -0000	1.65
&gt;+++ template/en/default/list/table.html.tmpl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -119,7 +119,7 &#64;&#64;
&gt;       [% PROCESS new_order %]
&gt;       [%-#%]&amp;amp;query_based_on=
&gt;       [% defaultsavename OR searchname FILTER uri %]&quot;&gt;
&gt;-        [%- abbrev.$id.title || field_descs.$id || column.title -%]
&gt;+        [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%]
&gt;         [% PROCESS order_arrow ~%]
&gt;     &lt;/a&gt;
&gt;   &lt;/th&gt;
&gt;Index: template/en/default/filterexceptions.pl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v
&gt;retrieving revision 1.151
&gt;diff -p -u -r1.151 filterexceptions.pl
&gt;--- template/en/default/filterexceptions.pl	12 Aug 2012 10:30:43 -0000	1.151
&gt;+++ template/en/default/filterexceptions.pl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -138,7 +138,6 &#64;&#64;
&gt; 'list/table.html.tmpl' =&gt; [
&gt;   'tableheader',
&gt;   'bug.bug_id', 
&gt;-  'abbrev.$id.title || field_descs.$id || column.title',
&gt; ],
&gt; 
&gt; 'list/list.csv.tmpl' =&gt; [

Note You need to log in before you can comment on or make changes to this bug.