XSS in error message display function (problem-not-found)

Bug #2046565 reported by Tom Reynolds
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Errors
Fix Released
Undecided
Unassigned

Bug Description

https://errors.ubuntu.com/?problem-not-found=%3Ciframe%20src=javascript:alert(0)%3E%3C/iframe%3E

This deployment of the error tracker also lacks security headers such as CSP, and imports Yahoo APIs via plain HTTP.

(Also, TLSv1.0 and v1.1 and many of the currently supported TLSv1.2 cipher suites ought to be disabled on any production sites nowadays.)

Related branches

Tom Reynolds (tomreyn)
description: updated
description: updated
Tom Reynolds (tomreyn)
information type: Private Security → Private
information type: Private → Private Security
Revision history for this message
Alex Murray (alexmurray) wrote :

Regarding the XSS, I had a brief look and I wonder if the following (completely untested) might work to fix this - @bdmurray, is there a staging environment for errors.ubuntu.com where we could try and test this?

=== modified file 'errors/templates/main.html'
--- old/errors/templates/main.html 2023-11-20 23:51:36 +0000
+++ new/errors/templates/main.html 2024-04-11 21:20:56 +0000
@@ -56,7 +56,7 @@
                 msg = 'That bug does not have a matching crash signature in ' +
                       'this database yet.';
             } else if (qs['problem-not-found'] != undefined) {
- msg = 'The problem \'' + qs['problem-not-found'] +
+ msg = 'The problem \'' + qs['problem-not-found'].replace(/[^a-fA-F0-9]/gim,'') +
                       '\' could not be found.';
             }
             if (msg != '') {

=== modified file 'errors/views.py'
--- old/errors/views.py 2022-03-15 16:24:57 +0000
+++ new/errors/views.py 2024-04-11 21:16:05 +0000
@@ -32,7 +32,7 @@
         return HttpResponseRedirect('/')

     if not cassie.bucket_exists(bucketid):
- return HttpResponseRedirect('/?problem-not-found=' + bucketid)
+ return HttpResponseRedirect('/?problem-not-found=' + quote(bucketid))

     traceback = cassie.get_traceback_for_bucket(bucketid)
     metadata = cassie.get_metadata_for_bucket(bucketid)
@@ -151,5 +151,5 @@
     else:
         bucketid = None
     if not bucketid:
- return HttpResponseRedirect('/?problem-not-found=' + hashed)
+ return HttpResponseRedirect('/?problem-not-found=' + quote(hashed))
     return bucket(request, bucketid, hashed)

Tom Reynolds (tomreyn)
information type: Private Security → Public Security
Revision history for this message
Tom Reynolds (tomreyn) wrote :

It's been ~ 9 months. I can't rule out that other organizations run separate instances of this software and thus need to know about its vulnerabilities, so I'm making this public.
Thanks for the suggested patch, ~alexmurray.

Revision history for this message
Skia (hyask) wrote :

We just deployed the suggested patch on production. Thanks for reporting the bug.

Just for you to know, I'm slowly taking over some knowledge on the error tracker, and things might be moving a bit in the coming months (like converting to git, etc...)

Changed in errors:
status: New → Fix Released
Revision history for this message
Skia (hyask) wrote :

I've opened a follow-up bug for the rest of the security improvements that could be done: bug 2076665.

Revision history for this message
Tom Reynolds (tomreyn) wrote :

Thanks for your efforts, Skia (and Alex). I'm glad to see this fixed.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.