Closed
Bug 1259009
Opened 8 years ago
Closed 8 years ago
SQL Injection in https://bugzilla.mozilla.org/
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1259008
People
(Reporter: jamescat46, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [web-bounty-form] [verif?])
I found a SQL Injection in https://bugzilla.mozilla.org/ domain. To reproduce: https://bugzilla.mozilla.org/buglist.cgi?query_format=specific&order=relevance%20desc&bug_status=_open_&product=&content=%3E%3E/=1&comments=0 Enter in the website, and you can see the MYSQL error DBD::mysql::db selectcol_arrayref failed: syntax error, unexpected '>' [for Statement "SELECT bugs.bug_id AS bug_id, (MATCH(bugs_fulltext_0.short_desc) AGAINST('>>/=1' IN BOOLEAN MODE)) AS relevance FROM bugs LEFT JOIN bug_group_map AS security_map ON bugs.bug_id = security_map.bug_id AND NOT ( security_map.group_id IN (69) ) LEFT JOIN cc AS security_cc ON bugs.bug_id = security_cc.bug_id AND security_cc.who = 567004 LEFT JOIN bugs_fulltext AS bugs_fulltext_0 ON bugs.bug_id = bugs_fulltext_0.bug_id WHERE bugs.creation_ts IS NOT NULL AND (security_map.group_id IS NULL OR (bugs.reporter_accessible = 1 AND bugs.reporter = 567004) OR (bugs.cclist_accessible = 1 AND security_cc.who IS NOT NULL) OR bugs.assigned_to = 567004 OR bugs.qa_contact = 567004) AND MATCH(bugs_fulltext_0.short_desc) AGAINST('>>/=1' IN BOOLEAN MODE) GROUP BY bugs.bug_id ORDER BY relevance DESC LIMIT 500 "]
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
Group: websites-security
Flags: sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•