Needinfo extension does not escape user names

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
Extensions: Needinfo
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Simon Green, Assigned: Simon Green)

Tracking

({regression, sec-high, wsec-xss})

Production
regression, sec-high, wsec-xss
Bug Flags:
sec-bounty +

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Created attachment 808358 [details] [diff] [review]
needinfo-fix-v1.patch

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130917102605

Steps to reproduce:

1) Visit https://bugzilla.mozilla.org/show_bug.cgi?id=469018
2) Towards the bottom of the page, change the needinfo to the assignee


Actual results:

Displays 'Simon Green'


Expected results:

Displays 'Simon Green <sgreen@redhat.com>'
(Assignee)

Comment 1

5 years ago
Marking this as a security bug, since it would not escape a user name that contained Javascript for example. This could lead to all sort of nasties.
Assignee: nobody → simon
Severity: normal → critical
Status: NEW → ASSIGNED
Depends on: 917483
(Assignee)

Updated

5 years ago
Attachment #808358 - Flags: review?(glob)
(Assignee)

Updated

5 years ago
Keywords: sec-critical
Attachment #808358 - Flags: review?(glob) → review+
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl
Committed revision 9029.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Depends on: 917577
No longer depends on: 917483
Flags: sec-bounty?
Keywords: regression, wsec-xss
How can we make this less likely to happen in the future? Have and use a combined htmljs filter? Get some lint thing to specifically check for both html and js escaping between <script> tags?

Gerv
Given the user interaction required I find it hard to rate this as sec-critical. Your best bet at pulling this off as an attack is to file a concerning but incomplete bug against your potential victim and hope they needinfo? the reporter rather than just ask in a comment. And do so without having initially noticed that your user name at the top of the bug report included "<script src=attack.js>" or whatever.
Keywords: sec-critical → sec-high
Flags: sec-bounty? → sec-bounty+
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.