Bug 790296 (CVE-2012-4189)

[SECURITY] Field values are not escaped correctly in tabular reports

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Reporting/Charting
--
major
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Mateusz Goik, Assigned: Frédéric Buclin)

Tracking

(Blocks: 1 bug, {regression, sec-critical, wsec-xss})

4.1.1
Bugzilla 4.2
regression, sec-critical, wsec-xss
Dependency tree / graph
Bug Flags:
approval +
approval4.4 +
blocking4.4 +
approval4.2 +
blocking4.2.4 +
sec-bounty +

Details

(URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
PoC:

http://localhost/cgi-bin/bug/editversions.cgi?action=add&product=TestProduct ->
Version: "><script>alert(1);</script>

Add new bug to "TestProduct" with version "><script>alert(1);</script>

http://localhost/cgi-bin/bug/query.cgi?format=report-table -> 
Horizontal Axis: Version
should be the results: Version: "><script>alert(1);</script>
-> Generate Report

http://localhost/cgi-bin/bug/report.cgi?x_axis_field=version&y_axis_field=&z_axis_field=&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&resolution=---&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=&bug_id_type=anyexact&version=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap

Result:

+ oColumn.field + "&amp;version="><script>alert(1);</script>'>"
 elLiner.innerHTML = "<a href='buglist.cgi?action=wrap&amp;resolution=---&amp;version="><script>alert(1);</script>'>"
     <a href="buglist.cgi?action=wrap&amp;resolution=---&amp;version="><script>alert(1);</script>">5</a>
<a href="buglist.cgi?action=wrap&amp;resolution=---&amp;=%20&amp;version="><script>alert(1);</script>">5</a>
OS: Linux → All
Hardware: x86 → All
(Assignee)

Comment 1

5 years ago
Confirmed. Bugzilla 4.0 and older are not affected as we use YUI for tabular reports since 4.2 only, see bug 142394. If JavaScript is disabled, the problem goes away, so I suspect < and > are not escaped properly somewhere in our JS code, which is surprising as < and > are supposed to be escaped by |FILTER js|, see bug 503980 and bug 670169.
Flags: blocking4.4+
Flags: blocking4.2.4+
Summary: Report table (version) - XSS → Field values are not escaped correctly in tabular reports
Target Milestone: --- → Bugzilla 4.2
(Assignee)

Comment 2

5 years ago
Created attachment 660184 [details] [diff] [review]
patch, v1
Assignee: charting → LpSolit
Status: NEW → ASSIGNED
Attachment #660184 - Flags: review?(dkl)
Comment on attachment 660184 [details] [diff] [review]
patch, v1

Review of attachment 660184 [details] [diff] [review]:
-----------------------------------------------------------------

Are you sure this fixes all four different spots? Seems like it would only fix 2-3 of the 4.
(Assignee)

Comment 4

5 years ago
(In reply to Reed Loden [:reed] from comment #3)
> Are you sure this fixes all four different spots? Seems like it would only
> fix 2-3 of the 4.

This fixes all links when JS is disabled, prevent XSS with JS disabled/enabled and links with JS enabled are only broken when the values have semicolons in them. I will check what I can do for them later (not a regression due to my patch).
(Assignee)

Comment 5

5 years ago
Created attachment 660428 [details] [diff] [review]
patch, v2

Correctly escape column headers.

I suspect that YUI reverts some escaping internally, because replacing oColumn.field by YAHOO.lang.escapeHTML(oColumn.field) has no effect. But that's another bug.
Attachment #660184 - Attachment is obsolete: true
Attachment #660184 - Flags: review?(dkl)
Attachment #660428 - Flags: review?(dkl)
Frederic, can you give feedback on this as far as a security rating? Is this a simple XSS issue?
(Assignee)

Comment 8

5 years ago
(In reply to Al Billings [:abillings] from comment #7)
> Frederic, can you give feedback on this as far as a security rating? Is this
> a simple XSS issue?

Unfortunately, it's very easy to trigger XSS, see the link in the URL field. There is no need for the value to exist in the DB.
Severity: normal → major
Depends on: 142394
Keywords: regression
Summary: Field values are not escaped correctly in tabular reports → [SECURITY] Field values are not escaped correctly in tabular reports
Version: 4.2.3 → 4.1.1
Keywords: sec-critical, wsec-xss
Comment on attachment 660428 [details] [diff] [review]
patch, v2

Review of attachment 660428 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #660428 - Flags: review?(dkl) → review+
(Assignee)

Updated

5 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Call this one CVE-2012-4189
Alias: CVE-2012-4189
(Assignee)

Updated

5 years ago
Blocks: 805640
(Assignee)

Updated

5 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
(Assignee)

Comment 11

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified report.cgi
modified template/en/default/reports/report-table.html.tmpl
Committed revision 8470.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified report.cgi
modified template/en/default/reports/report-table.html.tmpl
Committed revision 8455.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified report.cgi
modified template/en/default/reports/report-table.html.tmpl
Committed revision 8169.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 12

5 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security

Updated

4 years ago
Blocks: 835424
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.