3274: xss in autocomplete
- Fixed
- Review Board
| uchi*****@gmai***** (Google Code) (Is this you? Claim this profile.) | |
 |
|
| March 3, 2014 |
What version are you running?
2.0 beta 4 (dev)
What's the URL of the page containing the problem?
https://reviews.reviewboard.org/dashboard/
What steps will reproduce the problem?
1. login to reviewboard.
2. enter "uchi" in the search box in the upper right.
3. script error
What is the expected output? What do you see instead?
What operating system are you using? What browser?
Firefox30
Please provide any additional information below.
This is XSS vulnerabilities. It be caused by ui.autocomplete be output without html escape.
It will fix by this patch. (Sorry, I did not understand how to submit patch for reviewboard)
Index: reviewboard/htdocs/media/rb/js/ui.autocomplete.js
===================================================================
diff --git a/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js b/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js
--- a/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js (revision 2200)
+++ b/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js (working copy)
@@ -424,7 +424,7 @@
multiple: false,
multipleSeparator: ", ",
highlight: function(value, term) {
- return value.replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)(" + term.replace(/([\^\$\(\)\[\]\{\}\*\.\+\?\|\\])/gi, "\\$1") + ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
+ return $('<div>').text(value).html().replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)(" + $('div').text(term).html().replace(/([\^\$\(\)\[\]\{\}\*\.\+\?\|\\])/gi, "\\$1") + ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
},
scroll: true,
scrollHeight: 180
A mistake. Do not need to be escaped term.
Index: reviewboard/htdocs/media/rb/js/ui.autocomplete.js
===================================================================
diff --git a/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js b/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js
--- a/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js (revision 2200)
+++ b/trunk/reviewboard/htdocs/media/rb/js/ui.autocomplete.js (working copy)
@@ -424,7 +424,7 @@
multiple: false,
multipleSeparator: ", ",
highlight: function(value, term) {
- return value.replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)(" + term.replace(/([\^\$\(\)\[\]\{\}\*\.\+\?\|\\])/gi, "\\$1") + ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
+ return $('<div>').text(value).html().replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)(" + term.replace(/([\^\$\(\)\[\]\{\}\*\.\+\?\|\\])/gi, "\\$1") + ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<strong>$1</strong>");
},
scroll: true,
scrollHeight: 180
Thanks. In the future, please submit XSS vulnerabilities to security@reviewboard.org. We'd also appreciate the patch being posted to https://reviews.reviewboard.org. I also don't understand your repro case. How does "uchi" cause any sort of issue?
-
+ NeedInfo
> I also don't understand your repro case. How does "uchi" cause any sort of issue?
I input "<script>alert('uchida')</scrip" to First name in my Profile.
If you type "uchi" in this state, my First name output HTML without html escape.
> We'd also appreciate the patch being posted to https://reviews.reviewboard.org. Is this right? https://reviews.reviewboard.org/r/5570/
Yep, that's right. The change wasn't quite right, but I fixed up the vulnerability. Thanks for letting us know. Fixed on revision 6506529.
-
- NeedInfo + Fixed -
- Priority-Medium + Priority-Critical + Milestone-Release1.7.x -
+ chipx86
Sorry, I did not check properly. Thanks.
No worries. 1.7.22 is out with this fix!