Closed Bug 924802 (CVE-2013-1742) Opened 11 years ago Closed 11 years ago

[SECURITY] (XSS) "id" and "sortkey" are not sanitized when editing flag types if categoryAction-foo is set

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Version:
2.17.1
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.0

People

(Reporter: mateusz.goik, Assigned: LpSolit)

References

(
URL
)

Details

(Keywords: sec-critical, wsec-xss)

Attachments

(3 files)

patch for trunk, v1
2.15 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 4.2 and 4.4, v1
1.73 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 4.0
1.74 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
PoC:

http://localhost/bugzilla/editflagtypes.cgi?action=insert&can_fully_edit=1&id="><script>alert(1)</script>&token=&target_type=bug&check_clusions=1&name=test1&description=test2&product=TestProduct&component=TestComponent&categoryAction-include=Include&sortkey=1&is_active=on&is_requestable=on&cc_list=&is_requesteeble=on&is_multiplicable=on&grant_group=&request_group=

http://localhost/bugzilla/editflagtypes.cgi?action=insert&can_fully_edit=1&id=&token=&target_type=bug&check_clusions=1&name=test&description=test2&product=TestProduct&component=TestComponent&categoryAction-include=Include&sortkey=1"><script>alert(2)</script>&is_active=on&is_requestable=on&cc_list=&is_requesteeble=on&is_multiplicable=on&grant_group=&request_group=
The problem is here, starting on line 108 of editflagtypes.cgi:

    my $type = {};
    $type->{$_} = $cgi->param($_) foreach $cgi->param();
...
    $vars->{'type'} = $type;

We don't require the filtering of ".id" in templates in our XSS-checking test because we assume it will always be a property of an object which Bugzilla has validated the creation of. Here, we instead make up a fake object, trusting all the parameters on the URL. This is bad.

This code was added by LpSolit in bug 523205, and checked into the trunk (only) in October 2010. It is not present in 4.0, but is present in 4.2 and 4.4.

Gerv
(In reply to Gervase Markham [:gerv] from comment #1)
> This code was added by LpSolit in bug 523205

Not true. I didn't write this code. I only moved the code out of a subroutine when refactoring editflagtypes.cgi, but the code was already there since flags have been implemented in Bugzilla 2.18, see bug 98801. I can reproduce with 4.0 and 3.6 (didn't try with older releases, but the code didn't change).

I pasted in the URL field a reduced testcase.
URL: editflagtypes.cgi?id="><script>alert(...
Summary: XSS - editflagtypes.cgi → [SECURITY] XSS in editflagtypes.cgi
Target Milestone: --- → Bugzilla 4.0
Version: unspecified → 2.18
(In reply to Frédéric Buclin from comment #2)
> (In reply to Gervase Markham [:gerv] from comment #1)
> > This code was added by LpSolit in bug 523205
> 
> Not true. 

Ah, my apologies.

Anyway, assuming the admin is logged in (if he's not, the PoC fails), if he can be persuaded to load this URL then his cookies can be stolen. :-|

Should we eliminate all exceptions to the filtering requirements? Or would that be overkill?

Gerv
Neither "id" nor "sortkey" are sanitized or HTML-escaped when categoryAction-foo is set (it doesn't need to be a legal name as long as it starts with "categoryAction-"). So this URL works too (I replaced id by sortkey):

editflagtypes.cgi?sortkey="><script>alert(1)<%2Fscript>&categoryAction-foo=1
Assignee: administration → LpSolit
Status: NEW → ASSIGNED
Flags: blocking4.4.1+
Flags: blocking4.2.7+
Flags: blocking4.0.11+
Summary: [SECURITY] XSS in editflagtypes.cgi → [SECURITY] (XSS) "id" and "sortkey" are not sanitized when editing flag types if categoryAction-foo is set
(In reply to Gervase Markham [:gerv] from comment #3)
> can be persuaded to load this URL then his cookies can be stolen. :-|

Do not forget that credentials cannot be stolen due to the HttpOnly attribute set on cookies.

        Attachment #814861 -
        Flags: review?(dkl)

    
    

    
  


  

        Attachment #814867 -
        Flags: review?(dkl)

    
  
Keywords: wsec-xss

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch for 4.0Splinter Review
      

    


  
Things are worse in 4.0. "action" and "target_type" weren't HTML-escaped either.

        Attachment #814872 -
        Flags: review?(dkl)

    
    

    
  
Comment on attachment 814861 [details] [diff] [review]
patch for trunk, v1

Review of attachment 814861 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #814861 -
        Flags: review?(dkl) → review+

    
    

    
  
Comment on attachment 814867 [details] [diff] [review]
patch for 4.2 and 4.4, v1

Review of attachment 814867 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #814867 -
        Flags: review?(dkl) → review+

    
    

    
  
Comment on attachment 814872 [details] [diff] [review]
patch for 4.0

Review of attachment 814872 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #814872 -
        Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?

    
    

    
  
Assigning CVE-2013-1742 to this bug
Alias: CVE-2013-1742

    
  
Blocks: 912643

    
  
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+

    
  
Version: 2.18 → 2.17.1

    
    

    
  
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/admin/flag-type/edit.html.tmpl
Committed revision 8779.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/filterexceptions.pl
modified template/en/default/admin/flag-type/edit.html.tmpl
Committed revision 8625.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/admin/flag-type/edit.html.tmpl
Committed revision 8233.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/admin/flag-type/edit.html.tmpl
Committed revision 7761.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: bugzilla-security

    
    

    
  
Security advisory sent.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: