Launchpad itself

Subscriber AJAX widget vulnerable to script injection

Bug #394032 reported by Gavin Panella on 2009-06-30

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	LAZR Javascript Library	Fix Released	High	Gavin Panella
	Launchpad itself	Fix Released	High	Gavin Panella	Launchpad itself 2.2.7

Bug Description

To reproduce:

1. Run launchpad.dev.

2. Log in as Foo Bar (name16).

3. Change display name to "Foo Bar <script>alert('Foo');</script>".

4. Log in as Sample Person (name12).

5. Visit bug 1.

6. Subscribe someone else: name16.

7. Foo

Tags:

Revision history for this message

Gavin Panella (allenap) wrote on 2009-06-30:

#1

Looks like the value for LP.client.cache['bug'] is not escaped
properly either because I can see JSON at the bottom of the page.

Gavin Panella (allenap) on 2009-07-01

Changed in malone:
assignee:	nobody → Gavin Panella (allenap)
importance:	Undecided → High
milestone:	none → 2.2.7
status:	New → In Progress

Revision history for this message

Deryck Hodge (deryck) wrote on 2009-07-01:

#2

Patch against lazr-js Edit (1.0 KiB, text/x-diff)

The specific problem mentioned here of the overlay firing the alert is in the lazr-js picker. Attaching a first pass at a patch, just to demonstrate the area of the code that needs looking at. However, I think the patch should be extended and the picker should be looked over carefully as I am sure there are other areas where createTextNode should be used to safely escape the json data being inserted.

Revision history for this message

Deryck Hodge (deryck) wrote on 2009-07-01:

#3

I opened a bugtask against lazr-js since this problem affects the picker. And I would imagine we are quite open to XSS where we use the pattern of Y.Node.create(some_list_of_strings.join('')) and that pattern is everywhere.

Revision history for this message

Gavin Panella (allenap) wrote on 2009-07-02:

#4

Just to clarify, the issue when subscribing another user needs fixing
in lazr-js. There is also an issue when subscribing (self) to a bug,
and this needs fixing in malone.

Changed in lazr-js:
importance:	Undecided → High
status:	New → Triaged

Gavin Panella (allenap) on 2009-07-06

Changed in lazr-js:
assignee:	nobody → Gavin Panella (allenap)
status:	Triaged → In Progress

Revision history for this message

Diogo Matsubara (matsubara) wrote on 2009-07-10: Bug fixed by a commit

#5

Fixed in devel r8833.

Changed in malone:
status:	In Progress → Fix Committed

Gavin Panella (allenap) on 2009-07-10

Changed in lazr-js:
status:	In Progress → Fix Committed

Revision history for this message

Gavin Panella (allenap) wrote on 2009-07-10:

#6

Cherrypicked to edge and production.

status fixreleased
affects lazr-js
status fixreleased
affects malone

Changed in lazr-js:
status:	Fix Committed → Fix Released

Gavin Panella (allenap) on 2009-07-10

Changed in malone:
status:	Fix Committed → Fix Released

Curtis Hovey (sinzui) on 2011-10-27

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Patch against lazr-js Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.