Flag names are not properly escaped when displayed on confirm user match page

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Attachments & Requests
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Mateusz Goik, Assigned: reed)

Tracking

(Blocks: 1 bug, {sec-low, wsec-xss})

4.2.3
Bugzilla 3.6
sec-low, wsec-xss
Bug Flags:
approval +
approval4.4 +
approval4.2 +
approval4.0 +
approval3.6 +

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
PoC:

1.http://localhost/cgi-bin/bug/editflagtypes.cgi

2.
Create Flag Type for Bugs ->

Name: <script>alert(1);</script>
Description: test

Click Create

3. example: http://localhost/cgi-bin/bug/show_bug.cgi?id=6

Flags: 	<script>alert(1);</script>: mail@examplemail.example

Click "Save Changes"

4.

 <tr>
      <td align="left" valign="top"><script>alert(1);</script> requestee:
      </td>
      <td align="left" valign="top">
            <div class="user_match">
              <b>mail&#64;examplemail.example</b>
                  <font color="#FF0000">did not match anything</font>
            </div>
      </td>
    </tr>
(Assignee)

Updated

5 years ago
Assignee: create-and-change → attach-and-request
Component: Creating/Changing Bugs → Attachments & Requests
OS: Linux → All
Hardware: x86 → All
(Assignee)

Comment 1

5 years ago
Created attachment 660071 [details] [diff] [review]
patch - v1 (untested)

Maybe something like this? Not exactly sure why this particular thing was getting exempted from the filter...

This code has been around since bug 172518.
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #660071 - Flags: review?(LpSolit)

Comment 2

5 years ago
Comment on attachment 660071 [details] [diff] [review]
patch - v1 (untested)

There is indeed no reason to make an exception for flag names, even if they are controlled by users with editcomponents privs only. As only power users can edit flag types, this bug is fortunately not critical. r=LpSolit
Attachment #660071 - Flags: review?(LpSolit) → review+

Comment 3

5 years ago
Approved for all supported branches (I checked that 3.6 was affected too). As flag types are controlled by power users only, there is no need for a security advisory. Simply remove the security flag once the patch is checked in.
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Target Milestone: --- → Bugzilla 3.6
(Assignee)

Updated

5 years ago
Summary: Flags XSS → Flag names are not properly escaped when displayed on confirm user match page
(Assignee)

Updated

5 years ago
Keywords: sec-low, wsec-xss
(Assignee)

Comment 4

5 years ago
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8388.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8386.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8137.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 7724.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 7300.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
This is a sec-low rated bug so it does not qualify for a bounty.

Updated

4 years ago
Blocks: 835424
You need to log in before you can comment on or make changes to this bug.