Custom field descriptions are not properly escaped when displayed as bug list column headers

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Query/Bug List
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Sony, Assigned: Frédéric Buclin)

Tracking

4.2.2
Bugzilla 3.6
Bug Flags:
approval +
blocking4.4 +
approval4.2 +
blocking4.2.3 +
approval4.0 +
approval3.6 +

Details

Attachments

(1 attachment, 1 obsolete attachment)

1.32 KB, patch
glob
: review+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
Created attachment 655618 [details]
456.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Hello again)




Actual results:

PoC later. If it's new - ok i put PoC later.

See here:

https://1zxl51jv7q3c.demo.bugzilla.org/

https://1zxl51jv7q3c.demo.bugzilla.org/buglist.cgi?list_id=64814&query_format=advanced&tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&query_based_on=&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad

It's work only use login and password.

My admin login (on demo site): insecurity.ro@gmail.com

Password: 1a2a3a
bugzilla.mozilla.org isn't running bugzilla 4.2.

the url provided doesn't trigger a xss.
please attach proof of concepts or a full description of the issue when reporting issues.
Assignee: nobody → query-and-buglist
Component: General → Query/Bug List
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2
Version: 4.2 → 4.2.2
(Reporter)

Comment 2

5 years ago
You use login with password? It's work only with login and password. And browser mozilla firefox without plugins.

Ok, PoC later.
I can confirm this.

    <a href="buglist.cgi?columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad&amp;list_id=64814&amp;query_format=advanced&amp;tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&amp;order=cf_frad%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&amp;query_based_on=">></script><script>alert("4")</script></a>
Status: UNCONFIRMED → NEW
Ever confirmed: true
Please still attach a working PoC, but at least I see where the issue is (just not the cause yet).
template/en/default/list/list.html.tmpl
        [% urlquerypart FILTER html %]&amp;query_based_on=
          [% defaultsavename OR searchname FILTER uri %]">Change&nbsp;Columns</a> |

Possibly looks like defaultsavename isn't getting the |FILTER uri| applied to it.
Actually, this is probably in template/en/default/list/table.html.tmpl instead...
(Reporter)

Comment 7

5 years ago
Yes, it's not in url. I forgot when i put xss code (in another fields) and later i maybe put PoC, but i see you put your PoC and it's true. But interesting idea, maybe i can find another things.
(Assignee)

Comment 8

5 years ago
The problem is the content of the description of the custom field.
Summary: bugzilla 4.2.2 xss url buglist.cgi → Custom field descriptions are not filtered in buglists
Flags: blocking4.4?
Flags: blocking4.2.3?
Summary: Custom field descriptions are not filtered in buglists → [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers
(Assignee)

Comment 9

5 years ago
Created attachment 655642 [details] [diff] [review]
patch, v1
Assignee: query-and-buglist → LpSolit
Attachment #655618 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #655642 - Flags: review?(glob)
Comment on attachment 655642 [details] [diff] [review]
patch, v1

r=glob
Attachment #655642 - Flags: review?(glob) → review+
(Assignee)

Comment 11

5 years ago
We don't consider XSS which can be created by admins only as a security issue, so removing the sec flag. We will take this patch for older branches as this problem may break the UI, though. Thanks for finding this bug, Sony! :)
Group: bugzilla-security
Flags: blocking4.4?
Flags: blocking4.4+
Flags: blocking4.2.3?
Flags: blocking4.2.3+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Summary: [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers → Custom field descriptions are not properly escaped when displayed as bug list column headers
Target Milestone: --- → Bugzilla 3.6
(Assignee)

Comment 12

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8358.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8123.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7718.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7295.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 13

5 years ago
ok, good:)
Comment on attachment 655642 [details] [diff] [review]
patch, v1

&gt;Index: template/en/default/list/table.html.tmpl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/table.html.tmpl,v
&gt;retrieving revision 1.65
&gt;diff -p -u -r1.65 table.html.tmpl
&gt;--- template/en/default/list/table.html.tmpl	26 Feb 2012 00:01:34 -0000	1.65
&gt;+++ template/en/default/list/table.html.tmpl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -119,7 +119,7 &#64;&#64;
&gt;       [% PROCESS new_order %]
&gt;       [%-#%]&amp;amp;query_based_on=
&gt;       [% defaultsavename OR searchname FILTER uri %]&quot;&gt;
&gt;-        [%- abbrev.$id.title || field_descs.$id || column.title -%]
&gt;+        [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%]
&gt;         [% PROCESS order_arrow ~%]
&gt;     &lt;/a&gt;
&gt;   &lt;/th&gt;
&gt;Index: template/en/default/filterexceptions.pl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v
&gt;retrieving revision 1.151
&gt;diff -p -u -r1.151 filterexceptions.pl
&gt;--- template/en/default/filterexceptions.pl	12 Aug 2012 10:30:43 -0000	1.151
&gt;+++ template/en/default/filterexceptions.pl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -138,7 +138,6 &#64;&#64;
&gt; 'list/table.html.tmpl' =&gt; [
&gt;   'tableheader',
&gt;   'bug.bug_id', 
&gt;-  'abbrev.$id.title || field_descs.$id || column.title',
&gt; ],
&gt; 
&gt; 'list/list.csv.tmpl' =&gt; [
You need to log in before you can comment on or make changes to this bug.