Closed Bug 1251731 Opened 8 years ago Closed 8 years ago

XSS vulnerability through malicious attachment names

Categories

(bugzilla.mozilla.org :: Splinter, defect)

Product:
bugzilla.mozilla.org
Component:
Splinter
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: dkl)

Details

(Keywords: sec-critical, wsec-xss)

Attachments

(1 file, 1 obsolete file)

1251731_1.patch
9.62 KB, patch
dylan
: review+
Details | Diff | Splinter Review 
Steps to reproduce:

1. Create a draft review under https://bugzilla-dev.allizom.org/page.cgi?id=splinter.html&bug=1154241&attachment=8591766
2. Go to https://bugzilla-dev.allizom.org/page.cgi?id=splinter.html

You will see an alert message saying "xss". The issue is caused by this line:

https://github.com/mozilla/webtools-bmo-bugzilla/blob/1f1f0d3276bef3844e8d381ba8277585c671466e/extensions/Splinter/web/splinter.js#L2531

It will assign the name of the attachment to innerHTML without any escaping.
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Attached patch 1251731_1.patchSplinter Review 

        Attachment #8724273 -
        Flags: review?(dylan)

    
    

    
  
Comment on attachment 8724273 [details] [diff] [review]
1251731_1.patch

Review of attachment 8724273 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

fixes xss, doesn't seem to break splinter horribly.

        Attachment #8724273 -
        Flags: review?(dylan) → review+

    
    

    
  
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   110b14a..be2d5f9  master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

    
    

    
  

      
      
      
      

        Attached file
          
        <img src=d onerror=alert("xss")>" (obsolete) (deleted)
        — 
      

    


  
Testing this bug on prod

    
    

    
  
The content of attachment 8724698 [details] has been deleted for the following reason:

just needed to test this bug itself.
Group: bugzilla-security
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical, 
          
            wsec-xss

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: