Closed
Bug 38852
Opened 24 years ago
Closed 23 years ago
[meta] untrusted content being sent or echoed to bugzilla users
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: jruderman, Assigned: tara)
References
()
Details
(Keywords: meta, Whiteboard: security)
this will be the meta bug for security issues that arise from bugzilla allowing untrusted content to come from bugzilla.mozilla.org. see http://www.cert.org/advisories/CA-2000-02.html for information on the general problem. incidentally, slashdot reported today that there is a worm floating around that exploits this problem on web-based e-mail sites that show .html attachments as text/html. http://slashdot.org/article.pl?sid=00/05/10/1541244&mode=thread
Reporter | ||
Comment 1•24 years ago
|
||
adding some dependencies
Comment 2•24 years ago
|
||
What about http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan ? Is this the same as bug #26257?
Comment 4•24 years ago
|
||
Bumping severity up to critical. tara, please fix this bug (including all dependant bugs) ASAP. This bug is an ideal way to exploit Mozilla's security holes.
Severity: normal → critical
Comment 7•24 years ago
|
||
cyeh: ??
Updated•24 years ago
|
Summary: [meta] bugzila security: issues with untrusted content → [meta] bugzilla security: issues with untrusted content
Whiteboard: security
Reporter | ||
Updated•23 years ago
|
No longer depends on: 21253
Summary: [meta] bugzilla security: issues with untrusted content → [meta] untrusted content being sent or echoed to bugzilla users
Comment 9•23 years ago
|
||
Jesse, I just readded bug #21253 because I thought it was accidentally removed due to the midair dependency bug, but someone pointed out that this might not be the case ... if so just remove it again. It's probably good practice to add a comment if you remove a dep someone else added.
Comment 10•23 years ago
|
||
every remaining bug being tracked here is targetted at 2.14, so this should, too.
Target Milestone: --- → Bugzilla 2.14
Reporter | ||
Comment 11•23 years ago
|
||
Note that some of these bugs might allow an attacker to view Netscape-confidential bugs. See my comments in bug 66091.
Comment 12•23 years ago
|
||
Should this also depend on bug#95235 ?
Comment 13•23 years ago
|
||
since all dependencies are resolved, the tracking bug is resolved.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 14•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•