Closed Bug 957826 Opened 10 years ago Closed 10 years ago

XSS in the comment tag field

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
4.5.1
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 5.0

People

(Reporter: netfuzzerr, Assigned: LpSolit)

References

Details

Attachments

(2 files)

screenshot.PNG
55.89 KB, image/png
Details
patch, v1
789 bytes, patch
glob
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Steps to reproduce:

Hi,

there's a xss vulnerability in bugzilla tag field that allows attackers to do phishing attacks.

Reproduce:
1. While logged on landfill , go to https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=23120.
2. Click in on tag field.
3. after put "<iframe/onload=alert(1)>" in the text field.
4. Press enter
5. See the xss

Cheers,
Mario
Attached image screenshot.PNG 

    
    

    
  
The tag is rejected by Bugzilla and so you can only affect yourself.
Assignee: general → create-and-change
Severity: normal → minor
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → Creating/Changing Bugs
Ever confirmed: true
Summary: xss in bugzilla tag field → XSS in the comment tag field
Target Milestone: --- → Bugzilla 5.0
Version: unspecified → 4.5.1

    
  
Depends on: 793963

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch, v1Splinter Review
      

    


  
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED

        Attachment #8357462 -
        Flags: review?(glob)

        Attachment #8357462 -
        Flags: review?(dkl)

    
    

    
  
Note that ideally, the invalid tag shouldn't be displayed in the tags list at all. The validation should occur first, and the tag be added to the list next, only if no error has been thrown.

    
    

    
  
Comment on attachment 8357462 [details] [diff] [review]
patch, v1

r=glob

(In reply to Frédéric Buclin from comment #4)
> Note that ideally, the invalid tag shouldn't be displayed in the tags list
> at all. The validation should occur first, and the tag be added to the list
> next, only if no error has been thrown.

while this is correct from a purely technical perspective, i disagree that this is the ideal situation from a responsiveness point of view.

        Attachment #8357462 -
        Flags: review?(glob)

        Attachment #8357462 -
        Flags: review?(dkl)

        Attachment #8357462 -
        Flags: review+

    
    

    
  
(In reply to Byron Jones ‹:glob› (unavailable until Jan 12th) from comment #5)
> while this is correct from a purely technical perspective, i disagree that
> this is the ideal situation from a responsiveness point of view.

It wouldn't be too hard to put the regexp in the JS code too. It's a simple one.
Flags: approval?

    
    

    
  
Since we don't have any releases that contain this yet, okay to commit without waiting.
Flags: approval? → approval+

    
    

    
  
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified js/comment-tagging.js
Committed revision 8859.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: