Closed Bug 785917 Opened 12 years ago Closed 12 years ago

Custom field descriptions are not properly escaped when displayed as bug list column headers

Categories

(Bugzilla :: Query/Bug List, defect)

4.2.2
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 3.6

People

(Reporter: insecurity.ro, Assigned: LpSolit)

Details

Attachments

(1 file, 1 obsolete file)

Attached image 456.jpg (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Hello again)




Actual results:

PoC later. If it's new - ok i put PoC later.

See here:

https://1zxl51jv7q3c.demo.bugzilla.org/

https://1zxl51jv7q3c.demo.bugzilla.org/buglist.cgi?list_id=64814&query_format=advanced&tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&query_based_on=&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad

It's work only use login and password.

My admin login (on demo site): insecurity.ro@gmail.com

Password: 1a2a3a
bugzilla.mozilla.org isn't running bugzilla 4.2.

the url provided doesn't trigger a xss.
please attach proof of concepts or a full description of the issue when reporting issues.
Assignee: nobody → query-and-buglist
Component: General → Query/Bug List
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2
Version: 4.2 → 4.2.2
You use login with password? It's work only with login and password. And browser mozilla firefox without plugins.

Ok, PoC later.
I can confirm this.

    <a href="buglist.cgi?columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cshort_desc%2Cchangeddate%2Ccf_frad&amp;list_id=64814&amp;query_format=advanced&amp;tag=%22%3E%3Cbody%20onload%3Dalert%28document.cookie%29%3E&amp;order=cf_frad%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&amp;query_based_on=">></script><script>alert("4")</script></a>
Status: UNCONFIRMED → NEW
Ever confirmed: true
Please still attach a working PoC, but at least I see where the issue is (just not the cause yet).
template/en/default/list/list.html.tmpl
        [% urlquerypart FILTER html %]&amp;query_based_on=
          [% defaultsavename OR searchname FILTER uri %]">Change&nbsp;Columns</a> |

Possibly looks like defaultsavename isn't getting the |FILTER uri| applied to it.
Actually, this is probably in template/en/default/list/table.html.tmpl instead...
Yes, it's not in url. I forgot when i put xss code (in another fields) and later i maybe put PoC, but i see you put your PoC and it's true. But interesting idea, maybe i can find another things.
The problem is the content of the description of the custom field.
Summary: bugzilla 4.2.2 xss url buglist.cgi → Custom field descriptions are not filtered in buglists
Flags: blocking4.4?
Flags: blocking4.2.3?
Summary: Custom field descriptions are not filtered in buglists → [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers
Attached patch patch, v1Splinter Review
Assignee: query-and-buglist → LpSolit
Attachment #655618 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #655642 - Flags: review?(glob)
Comment on attachment 655642 [details] [diff] [review]
patch, v1

r=glob
Attachment #655642 - Flags: review?(glob) → review+
We don't consider XSS which can be created by admins only as a security issue, so removing the sec flag. We will take this patch for older branches as this problem may break the UI, though. Thanks for finding this bug, Sony! :)
Group: bugzilla-security
Flags: blocking4.4?
Flags: blocking4.4+
Flags: blocking4.2.3?
Flags: blocking4.2.3+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Summary: [SECURITY] Custom field descriptions are not properly escaped when displayed as bug list column headers → Custom field descriptions are not properly escaped when displayed as bug list column headers
Target Milestone: --- → Bugzilla 3.6
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8358.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 8123.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7718.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/list/table.html.tmpl
Committed revision 7295.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
ok, good:)
Comment on attachment 655642 [details] [diff] [review]
patch, v1

&gt;Index: template/en/default/list/table.html.tmpl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/list/table.html.tmpl,v
&gt;retrieving revision 1.65
&gt;diff -p -u -r1.65 table.html.tmpl
&gt;--- template/en/default/list/table.html.tmpl	26 Feb 2012 00:01:34 -0000	1.65
&gt;+++ template/en/default/list/table.html.tmpl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -119,7 +119,7 &#64;&#64;
&gt;       [% PROCESS new_order %]
&gt;       [%-#%]&amp;amp;query_based_on=
&gt;       [% defaultsavename OR searchname FILTER uri %]&quot;&gt;
&gt;-        [%- abbrev.$id.title || field_descs.$id || column.title -%]
&gt;+        [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%]
&gt;         [% PROCESS order_arrow ~%]
&gt;     &lt;/a&gt;
&gt;   &lt;/th&gt;
&gt;Index: template/en/default/filterexceptions.pl
&gt;===================================================================
&gt;RCS file: /cvsroot/mozilla/webtools/bugzilla/template/en/default/filterexceptions.pl,v
&gt;retrieving revision 1.151
&gt;diff -p -u -r1.151 filterexceptions.pl
&gt;--- template/en/default/filterexceptions.pl	12 Aug 2012 10:30:43 -0000	1.151
&gt;+++ template/en/default/filterexceptions.pl	27 Aug 2012 17:39:27 -0000
&gt;&#64;&#64; -138,7 +138,6 &#64;&#64;
&gt; 'list/table.html.tmpl' =&gt; [
&gt;   'tableheader',
&gt;   'bug.bug_id', 
&gt;-  'abbrev.$id.title || field_descs.$id || column.title',
&gt; ],
&gt; 
&gt; 'list/list.csv.tmpl' =&gt; [
You need to log in before you can comment on or make changes to this bug.