Closed Bug 489109 Opened 15 years ago Closed 14 years ago

Junk data (javascript and SQL) in "event" dropdown

Categories

(support.mozilla.org :: Knowledge Base Software, task, P4)

Product:
support.mozilla.org
Component:
Knowledge Base Software
Type:
task

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: collin211932, Assigned: laura)

References

(
URL
)

Details

Attachments

(2 files, 1 obsolete file)

patch v1
3.53 KB, patch
laura
: review+
Details | Diff | Splinter Review
SQL to clean out sentinel watches
70 bytes, text/plain
jsocol
: review+
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Build Identifier: n/a

When checking the "event" dropdown, I am greeted with a long list of javascript and SQL injections.


HTML readout:
http://yrikreirrh.pastebin.com/m320bb484

Screenshot:
http://collin1000.com/nastiesinsumo.png

Reproducible: Always

Steps to Reproduce:
1. log in to sumo
2. go to https://support.mozilla.com/tiki-user_watches.php
3. click on event dropdown
4. scroll to bottom of list
Actual Results:  
I see the injections.

Expected Results:  
Not had those...

n/a
All these items seem to be properly escaped, so there doesn't seem to be SQL or script injection here.  Users shouldn't be able to insert junk events in watches, however.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: javascript and SQL injections in "event" dropdown → Junk data (javascript and SQL) in "event" dropdown
Is this not the same as bug 480458? Looks like bug 480458, comment #5 was never run on production? I'll check on it, and if it hasn't, I'll run it.
Reed: it hasn't been; thanks in advance for running it!
(In reply to comment #3)
> Reed: it hasn't been; thanks in advance for running it!

I ran it on staging and production... it didn't change anything.
Hrm; I guess bug 480458 was left to be just about the code, then.  Eric, mind fixing the SQL here?
Component: Forum → Knowledge Base Software
OS: Windows Vista → All
QA Contact: forum → kb-software
Hardware: Other → All
(In reply to comment #5)
> Hrm; I guess bug 480458 was left to be just about the code, then.  Eric, mind
> fixing the SQL here?

The SQL from bug 480458 cleaned the table for injections from that bug. If the junk is still there, it's from a different vector.

Could we get the output of this (from staging) attached to the bug?

SELECT * FROM tiki_user_watches where event NOT IN('forum_post_thread', 'forum_post_topic', 'wiki_page_changed', 'new_in_category', 'category_changed_in_lang', 'wiki_page_in_lang_created', 'wiki_page_created', 'category_changed', 'forum_post_and_thread')

Or you can just use a select and group by, but this will let us see trends in the junk data and if it was inserted multiple times.
(In reply to comment #6)
> Could we get the output of this (from staging) attached to the bug?
....
mysql> SELECT * FROM tiki_user_watches where event NOT IN('forum_post_thread',
    -> 'forum_post_topic', 'wiki_page_changed', 'new_in_category',
    -> 'category_changed_in_lang', 'wiki_page_in_lang_created', 'wiki_page_created',
    -> 'category_changed', 'forum_post_and_thread')
    -> ;
Empty set (0.00 sec)

Pretty sure we truncate the tiki_user_watches table every time we sync prod to staging. I ran it on prod as well, and it returned 9071 rows.
(In reply to comment #7)
> (In reply to comment #6)
> > Could we get the output of this (from staging) attached to the bug?
> ....
> mysql> SELECT * FROM tiki_user_watches where event NOT IN('forum_post_thread',
>     -> 'forum_post_topic', 'wiki_page_changed', 'new_in_category',
>     -> 'category_changed_in_lang', 'wiki_page_in_lang_created',
> 'wiki_page_created',
>     -> 'category_changed', 'forum_post_and_thread')
>     -> ;
> Empty set (0.00 sec)
> 
> Pretty sure we truncate the tiki_user_watches table every time we sync prod to
> staging. I ran it on prod as well, and it returned 9071 rows.

Duh. I forgot we were doing that. I just didn't want to run the SQL on prod.

Any chance you could attach the output to the bug (or just send it to me)? It's needed to figure out where this stuff is coming from. 

9K does seems like a lot, though.
(In reply to comment #8)
> Duh. I forgot we were doing that. I just didn't want to run the SQL on prod.

We have extremely beefy database servers. Running that query wasn't even a drop in the bucket for the slave server I ran it on (it took 0.08 sec). :)

> Any chance you could attach the output to the bug (or just send it to me)? It's
> needed to figure out where this stuff is coming from.

It's 2.1MB, so I'll e-mail it to you at your @mozilla.com account.
Attached patch patch v1Splinter Review 
This restricts what sort of watches can be assigned on webroot/tiki-index.php and webroot/tiki-view_forum_thread.php. It should stop user inputed data while retaining intended functionality.

Most of tiki reuses code via ctrl+c and ctrl+p, so it's likely that similar vectors exist. This patch closes the vectors used to enter the junk data outputed via comment 6.

STR
https://support-stage.mozilla.org/en-US/kb/Installing+Firefox?watch_event=whscheck()&watch_object=whscheck()&watch_action=add

https://support-stage.mozilla.org/tiki-view_forum_thread.php?locale=en-US&forumId=1&comments_parentId=311641&watch_event=whscheck()&watch_object=whscheck()&watch_action=add

Just for the sake of familiarity, whscheck() was used to signify affected inputs.
Assignee: nobody → smirkingsisyphus
Attachment #373680 - Flags: review?(laura)
Attached file sql to clean `tiki_user_watches` v1 (obsolete) — 
This should clean out the junk event column data. Realistically, we could probably just delete all the watches associated to that user.

Limit of 9070 since one of the returned rows from comment 6 was legit and showed up due to a typo ('forum_post_and_thread' should have been 'forum_post_topic_and_thread'). Please look over this carefully.
Attachment #373693 - Flags: review?(laura)
Attachment #373693 - Flags: review?(reed)
If you just want to remove all the watches for sentinel@whitehatsec.com, that's fine... it's just sentinel's account, so it's not a real user.
(In reply to comment #12)
> If you just want to remove all the watches for sentinel@whitehatsec.com, that's
> fine... it's just sentinel's account, so it's not a real user.


Its showing up in my account too, and that is not my account. :S
Attachment #373693 - Flags: review?(laura) → review+
Attachment #373680 - Flags: review?(laura) → review+
Target Milestone: --- → 1.2.1
Status please?
I was tangled up with p10n, moving to 1.3.

The SQL should be adjusted to comment 12.
Target Milestone: 1.2.1 → 1.3
Target Milestone: 1.3 → 1.5
Assignee: smirkingsisyphus → nobody
Priority: -- → P4
Moving to 1.5.1 to keep on the radar, didn't make 1.5.
Target Milestone: 1.5 → 1.5.1
Assignee: nobody → laura

        Attachment #373693 -
        Attachment is obsolete: true

        Attachment #421078 -
        Flags: review?(james)

        Attachment #373693 -
        Flags: review?(reed)

    
    

    
  
Comment on attachment 421078 [details]
SQL to clean out sentinel watches

SELECT COUNT(*) FROM tiki_user_watches WHERE user='sentinel@whitehatsec.com';

Before:
15775

After:
0

        Attachment #421078 -
        Flags: review?(james) → review+

    
    

    
  
This now just needs to be run in the maintenance window.  Leaving open until we have a push bug.

    
    

    
  
This was done in bug 546712.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
Verified FIXED; https://support.mozilla.com/tiki-user_watches.php is fine now.
Status: RESOLVED → VERIFIED

    
  
Group: websites-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: