Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-29699

XSS vulnerability in 'disabled module' error template

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: High High
    • Resolution: Fixed
    • Affects Version/s: 5.3.12, 5.4.12
    • Fix Version/s: Customer request
    • Labels:
    • Environment:

      Mozilla FF (tested on the current latest version 62.0.2 but Customer observed it also on IE 11.0.9600.19100 and Firefox 52.8.0). Chrome and Safari are not affected.

      Description

      Update: Fixed in v2018.09.1.2, v2018.06.1.3, v2017.12.4.2, v5.4.12.2, v5.3.12.5

      Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

      Steps to reproduce:
      1. Edit [SiteAccessRules] section located in ezpublish_legacy/settings/site.ini and enable following lines:

      [SiteAccessRules]
      Rules[]
      Rules[]=access;disable
      Rules[]=moduleall
      

      2. Clear all the caches.
      3. Visit your site URL and add suffix like: <img src="" onError=alert(document.cookie)>.
      4. See that JS alert window is shown.

        Activity

        Konrad Oboza created issue -
        Konrad Oboza made changes -
        Field Original Value New Value
        Status Open [ 1 ] Confirmed [ 10037 ]
        Konrad Oboza made changes -
        Status Confirmed [ 10037 ] InputQ [ 10001 ]
        Gunnstein Lye logged work - 04/Oct/18 11:00 AM
        • Time Spent:
          1 hour
           

          .

        Konrad Oboza made changes -
        Link This issue relates to CS-7027 [ CS-7027 ]
        Konrad Oboza made changes -
        Status InputQ [ 10001 ] Development [ 3 ]
        Assignee Konrad Oboza [ konrad.oboza@ez.no ]
        Konrad Oboza made changes -
        Status Development [ 3 ] Development Review [ 10006 ]
        Show
        Gunnstein Lye added a comment - QA, please test: v5.3.12.4-security branch: https://github.com/ezsystems/ezpublish-legacy-ee/commit/f9318582125d379f669a9df64e98be37221811b0 v5.4.12.1-security branch: https://github.com/ezsystems/ezpublish-legacy-ee/commit/0f1f20f0ff70ba68f7c153d007db2fd3cbcf65ce
        Gunnstein Lye made changes -
        Status Development Review [ 10006 ] Documentation Review done [ 10011 ]
        Affects Version/s 5.3.12 [ 14639 ]
        Assignee Konrad Oboza [ konrad.oboza@ez.no ]
        Gunnstein Lye made changes -
        Remaining Estimate 0 minutes [ 0 ]
        Time Spent 1 hour [ 3600 ]
        Worklog Id 68713 [ 68713 ]
        Michał Szołtysek made changes -
        Assignee Michał Szołtysek [ michal.szoltysek@ez.no ]
        Michał Szołtysek made changes -
        Status Documentation Review done [ 10011 ] QA [ 10008 ]
        Hide
        Michał Szołtysek added a comment -

        QA Approved on v5.3.12 & v5.4.12 with diffs from the above.
        JS code was not run.
        Didn't find any issues with basic sanities in default setup.

        Show
        Michał Szołtysek added a comment - QA Approved on v5.3.12 & v5.4.12 with diffs from the above. JS code was not run. Didn't find any issues with basic sanities in default setup.
        Michał Szołtysek made changes -
        Status QA [ 10008 ] QA Done [ 10007 ]
        Assignee Michał Szołtysek [ michal.szoltysek@ez.no ]
        Gunnstein Lye logged work - 17/Oct/18 1:00 PM
        • Time Spent:
          2 hours
           

          .

        Gunnstein Lye made changes -
        Status QA Done [ 10007 ] Deploy [ 10009 ]
        Assignee Gunnstein Lye [ gunnstein.lye@ez.no ]
        Resolution Fixed [ 1 ]
        Gunnstein Lye made changes -
        Time Spent 1 hour [ 3600 ] 3 hours [ 10800 ]
        Worklog Id 68747 [ 68747 ]
        Gunnstein Lye logged work - 31/Oct/18 12:00 PM
        • Time Spent:
          2 hours
           

          .

        Gunnstein Lye made changes -
        Time Spent 3 hours [ 10800 ] 5 hours [ 18000 ]
        Worklog Id 68800 [ 68800 ]
        Gunnstein Lye logged work - 01/Nov/18 10:00 AM
        • Time Spent:
          2 hours
           

          .

        Hide
        Gunnstein Lye added a comment - - edited

        Distributed publicly for Community as EZSA-2018-006 at 2018-11-01
        http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template
        Tagged v2018.09.1.2, v2018.06.1.3, v2017.12.4.2

        security-advisories PR https://github.com/FriendsOfPHP/security-advisories/pull/332

        Show
        Gunnstein Lye added a comment - - edited Distributed publicly for Community as EZSA-2018-006 at 2018-11-01 http://share.ez.no/community-project/security-advisories/ezsa-2018-006-xss-vulnerability-in-disabled-module-error-template Tagged v2018.09.1.2, v2018.06.1.3, v2017.12.4.2 security-advisories PR https://github.com/FriendsOfPHP/security-advisories/pull/332
        Gunnstein Lye made changes -
        Security Security [ 10101 ]
        Gunnstein Lye made changes -
        Labels security
        Gunnstein Lye made changes -
        Time Spent 5 hours [ 18000 ] 7 hours [ 25200 ]
        Worklog Id 68802 [ 68802 ]
        Gunnstein Lye made changes -
        Description Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

        *Steps to reproduce:*
        1. Edit *[SiteAccessRules]* section located in {{ezpublish_legacy/settings/site.ini}} and enable following lines:
        {code}
        [SiteAccessRules]
        Rules[]
        Rules[]=access;disable
        Rules[]=moduleall
        {code}
        2. Clear all the caches.
        3. Visit your site URL and add suffix like: {{<img src="" onError=alert(document.cookie)>}}.
        4. See that JS alert window is shown.
        Update: Fixed in v2018.09.1.2, v2018.06.1.3, v2017.12.4.2, v5.4.12.2, v5.3.12.5

        Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

        *Steps to reproduce:*
        1. Edit *[SiteAccessRules]* section located in {{ezpublish_legacy/settings/site.ini}} and enable following lines:
        {code}
        [SiteAccessRules]
        Rules[]
        Rules[]=access;disable
        Rules[]=moduleall
        {code}
        2. Clear all the caches.
        3. Visit your site URL and add suffix like: {{<img src="" onError=alert(document.cookie)>}}.
        4. See that JS alert window is shown.
        Gunnstein Lye made changes -
        Assignee Gunnstein Lye [ gunnstein.lye@ez.no ]
        Status Deploy [ 10009 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Confirmed Confirmed
        33s 1 Konrad Oboza 04/Oct/18 10:13 AM
        Confirmed Confirmed InputQ InputQ
        13s 1 Konrad Oboza 04/Oct/18 10:13 AM
        InputQ InputQ Development Development
        1h 14m 1 Konrad Oboza 04/Oct/18 11:28 AM
        Development Development Development Review Development Review
        11s 1 Konrad Oboza 04/Oct/18 11:28 AM
        Development Review Development Review Documentation Review done Documentation Review done
        2h 33m 1 Gunnstein Lye 04/Oct/18 2:01 PM
        Documentation Review done Documentation Review done QA QA
        12d 18h 29m 1 Michał Szołtysek 17/Oct/18 8:31 AM
        QA QA QA Done QA Done
        2h 48m 1 Michał Szołtysek 17/Oct/18 11:19 AM
        QA Done QA Done Deploy Deploy
        1h 58m 1 Gunnstein Lye 17/Oct/18 1:18 PM
        Deploy Deploy Closed Closed
        14d 23h 44m 1 Gunnstein Lye 01/Nov/18 12:02 PM

          People

          • Assignee:
            Unassigned
            Reporter:
            Konrad Oboza
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 7 hours
              7h