Closed Bug 934543 Opened 11 years ago Closed 11 years ago

persistent xss on page https://bugzilla.mozilla.org/user_profile?login=netfuzzerr%40gmail.com

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: netfuzzerr, Unassigned)

Details

(Keywords: reporter-external, sec-critical, wsec-xss, Whiteboard: [site:bugzilla.mozilla.org][reporter-external])

Attachments

(1 file)

934543_1.patch
687 bytes, patch
dkl
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36 Steps to reproduce: Hi, There's a persistent xss vulnerability on page https://bugzilla.mozilla.org/user_profile?login=. The vulnerability occurs due that the page didn't escape corectly user's name resulting on a persistent xss vulnerability. Actual results: PoC: https://bugzilla.mozilla.org/user_profile?login=netfuzzerr%40gmail.com source ========= ...[SNIP]... <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head><meta property="og:type" content="website"> <meta property="og:image" content="https://bugzilla.mozilla.org/extensions/OpenGraph/web/bugzilla.png"> <meta property="og:title" content="User Profile: Mario Gomes( aaaa"'><img src=x onerror=confirm(4);> ) <netfuzzerr@gmail.com>"> <meta property="og:url" content="https://bugzilla.mozilla.org/user_profile?id=user_profile.html&login=netfuzzerr%40gmail.com"> <title>User Profile: Mario Gomes( aaaa"'><img src=x onerror=confirm(4);> ) <netfuzzerr@gmail.com></title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <link rel="Top" href="https://bugzilla.mozilla.org/"> ....[snip]..... =================
User profiles are BMO only addition.
Assignee: general → nobody
Component: Bugzilla-General → Extensions: UserProfile
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Assignee: nobody → glob
Flags: sec-bounty?
Keywords: sec-critical, wsec-xss
Whiteboard: [site:bugzilla.mozilla.org][reporter-external]
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Teemu Mannermaa (:wicked) from comment #1) > User profiles are BMO only addition. As is the Open Graph stuff, which are the headers that are being exploited here.
Component: Extensions: UserProfile → Extensions: Other
Actually, the title element, too, so both places failed...
our header templates (and template hooks) expects title to already be html encoded, so the issue is with the userprofile extension. i'll fix it there, and audit all the code for unescaped titles.
Component: Extensions: Other → Extensions: UserProfile
Attached patch 934543_1.patchSplinter Review
userprofile was the only place i found this particular foot-gun.
Attachment #826916 - Flags: review?(dkl)
Comment on attachment 826916 [details] [diff] [review] 934543_1.patch Review of attachment 826916 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #826916 - Flags: review?(dkl) → review+
Flags: sec-bounty? → sec-bounty+
>>> Flags: sec-bounty? → sec-bounty+ Thanks! ;)
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/ modified extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl Committed revision 9130.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: bugzilla-security
Status: RESOLVED → VERIFIED
Assignee: glob → nobody
Component: Extensions: UserProfile → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: