Closed Bug 790215 Opened 12 years ago Closed 12 years ago

Flag names are not properly escaped when displayed on confirm user match page

Categories

(Bugzilla :: Attachments & Requests, defect)

4.2.3
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 3.6

People

(Reporter: mateusz.goik, Assigned: reed)

Details

(Keywords: sec-low, wsec-xss)

Attachments

(1 file)

PoC:

1.http://localhost/cgi-bin/bug/editflagtypes.cgi

2.
Create Flag Type for Bugs ->

Name: <script>alert(1);</script>
Description: test

Click Create

3. example: http://localhost/cgi-bin/bug/show_bug.cgi?id=6

Flags: 	<script>alert(1);</script>: mail@examplemail.example

Click "Save Changes"

4.

 <tr>
      <td align="left" valign="top"><script>alert(1);</script> requestee:
      </td>
      <td align="left" valign="top">
            <div class="user_match">
              <b>mail&#64;examplemail.example</b>
                  <font color="#FF0000">did not match anything</font>
            </div>
      </td>
    </tr>
Assignee: create-and-change → attach-and-request
Component: Creating/Changing Bugs → Attachments & Requests
OS: Linux → All
Hardware: x86 → All
Maybe something like this? Not exactly sure why this particular thing was getting exempted from the filter...

This code has been around since bug 172518.
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #660071 - Flags: review?(LpSolit)
Comment on attachment 660071 [details] [diff] [review]
patch - v1 (untested)

There is indeed no reason to make an exception for flag names, even if they are controlled by users with editcomponents privs only. As only power users can edit flag types, this bug is fortunately not critical. r=LpSolit
Attachment #660071 - Flags: review?(LpSolit) → review+
Approved for all supported branches (I checked that 3.6 was affected too). As flag types are controlled by power users only, there is no need for a security advisory. Simply remove the security flag once the patch is checked in.
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Target Milestone: --- → Bugzilla 3.6
Summary: Flags XSS → Flag names are not properly escaped when displayed on confirm user match page
Keywords: sec-low, wsec-xss
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8388.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8386.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8137.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 7724.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 7300.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
This is a sec-low rated bug so it does not qualify for a bounty.
You need to log in before you can comment on or make changes to this bug.