Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-29699

XSS vulnerability in 'disabled module' error template

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: High High
    • Resolution: Fixed
    • Affects Version/s: 5.3.12, 5.4.12
    • Fix Version/s: Customer request
    • Labels:
    • Environment:

      Mozilla FF (tested on the current latest version 62.0.2 but Customer observed it also on IE 11.0.9600.19100 and Firefox 52.8.0). Chrome and Safari are not affected.

      Description

      Update: Fixed in v2018.09.1.2, v2018.06.1.3, v2017.12.4.2, v5.4.12.2, v5.3.12.5

      Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

      Steps to reproduce:
      1. Edit [SiteAccessRules] section located in ezpublish_legacy/settings/site.ini and enable following lines:

      [SiteAccessRules]
      Rules[]
      Rules[]=access;disable
      Rules[]=moduleall
      

      2. Clear all the caches.
      3. Visit your site URL and add suffix like: <img src="" onError=alert(document.cookie)>.
      4. See that JS alert window is shown.

        Activity

        Konrad Oboza created issue -
        Konrad Oboza made changes -
        Field Original Value New Value
        Status Open [ 1 ] Confirmed [ 10037 ]
        Konrad Oboza made changes -
        Status Confirmed [ 10037 ] InputQ [ 10001 ]
        Konrad Oboza made changes -
        Link This issue relates to CS-7027 [ CS-7027 ]
        Konrad Oboza made changes -
        Status InputQ [ 10001 ] Development [ 3 ]
        Assignee Konrad Oboza [ konrad.oboza@ez.no ]
        Konrad Oboza made changes -
        Status Development [ 3 ] Development Review [ 10006 ]
        Gunnstein Lye made changes -
        Status Development Review [ 10006 ] Documentation Review done [ 10011 ]
        Affects Version/s 5.3.12 [ 14639 ]
        Assignee Konrad Oboza [ konrad.oboza@ez.no ]
        Gunnstein Lye made changes -
        Remaining Estimate 0 minutes [ 0 ]
        Time Spent 1 hour [ 3600 ]
        Worklog Id 68713 [ 68713 ]
        Michał Szołtysek made changes -
        Assignee Michał Szołtysek [ michal.szoltysek@ez.no ]
        Michał Szołtysek made changes -
        Status Documentation Review done [ 10011 ] QA [ 10008 ]
        Michał Szołtysek made changes -
        Status QA [ 10008 ] QA Done [ 10007 ]
        Assignee Michał Szołtysek [ michal.szoltysek@ez.no ]
        Gunnstein Lye made changes -
        Status QA Done [ 10007 ] Deploy [ 10009 ]
        Assignee Gunnstein Lye [ gunnstein.lye@ez.no ]
        Resolution Fixed [ 1 ]
        Gunnstein Lye made changes -
        Time Spent 1 hour [ 3600 ] 3 hours [ 10800 ]
        Worklog Id 68747 [ 68747 ]
        Gunnstein Lye made changes -
        Time Spent 3 hours [ 10800 ] 5 hours [ 18000 ]
        Worklog Id 68800 [ 68800 ]
        Gunnstein Lye made changes -
        Security Security [ 10101 ]
        Gunnstein Lye made changes -
        Labels security
        Gunnstein Lye made changes -
        Time Spent 5 hours [ 18000 ] 7 hours [ 25200 ]
        Worklog Id 68802 [ 68802 ]
        Gunnstein Lye made changes -
        Description Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

        *Steps to reproduce:*
        1. Edit *[SiteAccessRules]* section located in {{ezpublish_legacy/settings/site.ini}} and enable following lines:
        {code}
        [SiteAccessRules]
        Rules[]
        Rules[]=access;disable
        Rules[]=moduleall
        {code}
        2. Clear all the caches.
        3. Visit your site URL and add suffix like: {{<img src="" onError=alert(document.cookie)>}}.
        4. See that JS alert window is shown.
        Update: Fixed in v2018.09.1.2, v2018.06.1.3, v2017.12.4.2, v5.4.12.2, v5.3.12.5

        Customer observed an issue, where JS code is run from the proper formatted URL e.g. http://mysite.com/%3Cimg%20src=0%20onError=alert(document.cookie)%3E.

        *Steps to reproduce:*
        1. Edit *[SiteAccessRules]* section located in {{ezpublish_legacy/settings/site.ini}} and enable following lines:
        {code}
        [SiteAccessRules]
        Rules[]
        Rules[]=access;disable
        Rules[]=moduleall
        {code}
        2. Clear all the caches.
        3. Visit your site URL and add suffix like: {{<img src="" onError=alert(document.cookie)>}}.
        4. See that JS alert window is shown.
        Gunnstein Lye made changes -
        Assignee Gunnstein Lye [ gunnstein.lye@ez.no ]
        Status Deploy [ 10009 ] Closed [ 6 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Konrad Oboza
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 7 hours
              7h