VERIFIED FIXED

Status

()

bugzilla.mozilla.org
Extensions: UserProfile
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: Mario Gomes, Assigned: glob)

Tracking

(Blocks: 1 bug, {sec-critical, wsec-xss})

Production
sec-critical, wsec-xss
Bug Flags:
sec-bounty +

Details

(Whiteboard: [site:bugzilla.mozilla.org][reporter-external])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36

Steps to reproduce:

Hi,

There's a persistent xss vulnerability on page https://bugzilla.mozilla.org/user_profile?login=. The vulnerability occurs due that the page didn't escape corectly user's name resulting on a persistent xss vulnerability.


Actual results:

PoC: https://bugzilla.mozilla.org/user_profile?login=netfuzzerr%40gmail.com

source
=========
...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
                      "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
  <head><meta property="og:type" content="website">
<meta property="og:image" content="https://bugzilla.mozilla.org/extensions/OpenGraph/web/bugzilla.png">
<meta property="og:title" content="User Profile: Mario Gomes( aaaa"'><img src=x onerror=confirm(4);> ) <netfuzzerr@gmail.com>">
<meta property="og:url" content="https://bugzilla.mozilla.org/user_profile?id=user_profile.html&login=netfuzzerr%40gmail.com">
    <title>User Profile: Mario Gomes( aaaa"'><img src=x onerror=confirm(4);> ) <netfuzzerr@gmail.com></title>

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">


<link rel="Top" href="https://bugzilla.mozilla.org/">
....[snip].....
=================
User profiles are BMO only addition.
Assignee: general → nobody
Component: Bugzilla-General → Extensions: UserProfile
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
(Assignee)

Updated

5 years ago
Assignee: nobody → glob

Updated

5 years ago
Blocks: 835424
Flags: sec-bounty?
Keywords: sec-critical, wsec-xss
Whiteboard: [site:bugzilla.mozilla.org][reporter-external]

Updated

5 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Teemu Mannermaa (:wicked) from comment #1)
> User profiles are BMO only addition.

As is the Open Graph stuff, which are the headers that are being exploited here.
Component: Extensions: UserProfile → Extensions: Other
Actually, the title element, too, so both places failed...
(Assignee)

Comment 4

5 years ago
our header templates (and template hooks) expects title to already be html encoded, so the issue is with the userprofile extension.

i'll fix it there, and audit all the code for unescaped titles.
Component: Extensions: Other → Extensions: UserProfile
(Assignee)

Comment 5

5 years ago
Created attachment 826916 [details] [diff] [review]
934543_1.patch

userprofile was the only place i found this particular foot-gun.
Attachment #826916 - Flags: review?(dkl)
Comment on attachment 826916 [details] [diff] [review]
934543_1.patch

Review of attachment 826916 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #826916 - Flags: review?(dkl) → review+
Flags: sec-bounty? → sec-bounty+
(Reporter)

Comment 8

5 years ago
>>> Flags: sec-bounty? → sec-bounty+

Thanks! ;)
(Assignee)

Comment 9

5 years ago
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
Committed revision 9130.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Group: bugzilla-security
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.