Closed Bug 790296 (CVE-2012-4189) Opened 13 years ago Closed 13 years ago

[SECURITY] Field values are not escaped correctly in tabular reports

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
4.1.1
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.2

People

(Reporter: mateusz.goik, Assigned: LpSolit)

References

(
URL
)

Details

(4 keywords)

Attachments

(1 file, 1 obsolete file)

patch, v2
1.66 KB, patch
dkl
: review+
Details | Diff | Splinter Review
PoC: http://localhost/cgi-bin/bug/editversions.cgi?action=add&product=TestProduct -> Version: "><script>alert(1);</script> Add new bug to "TestProduct" with version "><script>alert(1);</script> http://localhost/cgi-bin/bug/query.cgi?format=report-table -> Horizontal Axis: Version should be the results: Version: "><script>alert(1);</script> -> Generate Report http://localhost/cgi-bin/bug/report.cgi?x_axis_field=version&y_axis_field=&z_axis_field=&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&resolution=---&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=&bug_id_type=anyexact&version=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap Result: + oColumn.field + "&amp;version="><script>alert(1);</script>'>" elLiner.innerHTML = "<a href='buglist.cgi?action=wrap&amp;resolution=---&amp;version="><script>alert(1);</script>'>" <a href="buglist.cgi?action=wrap&amp;resolution=---&amp;version="><script>alert(1);</script>">5</a> <a href="buglist.cgi?action=wrap&amp;resolution=---&amp;=%20&amp;version="><script>alert(1);</script>">5</a>
OS: Linux → All
Hardware: x86 → All
Confirmed. Bugzilla 4.0 and older are not affected as we use YUI for tabular reports since 4.2 only, see bug 142394. If JavaScript is disabled, the problem goes away, so I suspect < and > are not escaped properly somewhere in our JS code, which is surprising as < and > are supposed to be escaped by |FILTER js|, see bug 503980 and bug 670169.
Flags: blocking4.4+
Flags: blocking4.2.4+
Summary: Report table (version) - XSS → Field values are not escaped correctly in tabular reports
Target Milestone: --- → Bugzilla 4.2
Attached patch patch, v1 (obsolete) — Splinter Review
Assignee: charting → LpSolit
Status: NEW → ASSIGNED
Attachment #660184 - Flags: review?(dkl)
Comment on attachment 660184 [details] [diff] [review] patch, v1 Review of attachment 660184 [details] [diff] [review]: ----------------------------------------------------------------- Are you sure this fixes all four different spots? Seems like it would only fix 2-3 of the 4.
(In reply to Reed Loden [:reed] from comment #3) > Are you sure this fixes all four different spots? Seems like it would only > fix 2-3 of the 4. This fixes all links when JS is disabled, prevent XSS with JS disabled/enabled and links with JS enabled are only broken when the values have semicolons in them. I will check what I can do for them later (not a regression due to my patch).
Attached patch patch, v2Splinter Review
Correctly escape column headers. I suspect that YUI reverts some escaping internally, because replacing oColumn.field by YAHOO.lang.escapeHTML(oColumn.field) has no effect. But that's another bug.
Attachment #660184 - Attachment is obsolete: true
Attachment #660184 - Flags: review?(dkl)
Attachment #660428 - Flags: review?(dkl)
Frederic, can you give feedback on this as far as a security rating? Is this a simple XSS issue?
(In reply to Al Billings [:abillings] from comment #7) > Frederic, can you give feedback on this as far as a security rating? Is this > a simple XSS issue? Unfortunately, it's very easy to trigger XSS, see the link in the URL field. There is no need for the value to exist in the DB.
URL: https://landfill.bugzilla.org/bugzill...
Severity: normal → major
Depends on: 142394
Keywords: regression
Summary: Field values are not escaped correctly in tabular reports → [SECURITY] Field values are not escaped correctly in tabular reports
Version: 4.2.3 → 4.1.1
Comment on attachment 660428 [details] [diff] [review] patch, v2 Review of attachment 660428 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #660428 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Call this one CVE-2012-4189
Alias: CVE-2012-4189
Blocks: 805640
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified report.cgi modified template/en/default/reports/report-table.html.tmpl Committed revision 8470. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/ modified report.cgi modified template/en/default/reports/report-table.html.tmpl Committed revision 8455. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified report.cgi modified template/en/default/reports/report-table.html.tmpl Committed revision 8169.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: