Open
Bug 1106652
Opened 10 years ago
Updated 10 years ago
Content spoofing: component, product and resolution parameters may contain arbitrary strings in buglist.cgi
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
NEW
People
(Reporter: ddkilzer, Unassigned)
Details
The component, product and resolution fields may contain arbitrary strings in a custom-crafted buglist.cgi URL, resulting in potential content spoofing. PoC for component field: https://bugzilla.mozilla.org/buglist.cgi?product=WebKit&component=IMPORTANT%21%20An%20additional%20component%20is%20needed%20to%20complete%20the%20WebKit.%20Email%20testing%40whitehatsec.com%20for%20the%20required%20component.&resolution=--- PoC for product field: https://bugzilla.mozilla.org/buglist.cgi?product=NOT%20FOUND.%20Email%20testing%40whitehatsec.com%20for%20updated%20product%20list.&component=XML&resolution=--- https://bugzilla.mozilla.org/buglist.cgi?product=%20%2A%2A%2AERROR%3A%20Malicious%20activity%20detected.%20Visit%20our%20support%20center%20immediately%20at%20http%3A%2F%2Fwww.whitehatsec.com%20or%20call%20our%20hotline%20at%201-800-XXX-XXXX.%2A%2A%2A&component=Security&resolution=--- PoC for resolution field: https://bugzilla.mozilla.org/buglist.cgi?keywords=LayoutTestFailure&resolution=Email%20WhiteHat%20Security%20at%20testing%40whitehatsec.com%20for%20access%20to%20resolve%20this%20issue%2C%20or%20call%20000-000-0000. Note that the "keywords" field doesn't seem to be validated, either.
|
Reporter | |
Updated•10 years ago
|
Summary: Content spoofing: component, product and resolution fields may contain arbitrary strings in buglist.cgi → Content spoofing: component, product and resolution parameters may contain arbitrary strings in buglist.cgi
|
||
Comment 1•10 years ago
|
||
Not a security bug, IMO. We intentionally display search criteria. Not doing so would be a regression. You can hardly abuse a user: no linkification, no way to inject HTML code. Suggesting WONTFIX.
Severity: normal → minor
OS: Linux → All
Hardware: x86 → All
|
|
Reporter | |
Comment 2•10 years ago
|
||
Why wouldn't you want to check that component, product and resolution are at least valid values before displaying the page?
|
|
||
Comment 3•10 years ago
|
||
(In reply to David D. Kilzer (ddk) from comment #2) > Why wouldn't you want to check that component, product and resolution are at > least valid values before displaying the page? Because they can be any arbitrary string. You have operators such as "matches regexp" or "contains any of the following words" which allow you to type any arbitrary string.
|
|
||
Updated•10 years ago
|
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•