Closed Bug 1111862 Opened 11 years ago Closed 11 years ago

HTML code injection in review history page

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: xidorn, Assigned: dylan)

Details

(Keywords: sec-high)

Attachments

(1 file)

bug-1111862-v1.patch
1.15 KB, patch
glob
: review+
Details | Diff | Splinter Review
In review history page, arbitrary html code can be injected on at least "Attachment" column.
from irc: 09:47 < xidorn> plz see https://bugzilla.mozilla.org/page.cgi?id=review_history.html&requestee=roc%40ocallahan.org 09:47 < xidorn> and search "part 12", you can see an input box there
Flags: sec-bounty?
Keywords: sec-high
Component: User Interface → Extensions: Review
Assignee: nobody → dylan
Ugh. allowHTML should have never been set on the attachment description. Earlier prototypes had clickable action columns, but as we're not actually using that I've disabled html in those rows as well.
Attachment #8536886 - Flags: review?(glob)
Comment on attachment 8536886 [details] [diff] [review] bug-1111862-v1.patch Review of attachment 8536886 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8536886 - Flags: review?(glob) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 812af03..fc43974 master -> master
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
I don't think I'm eligible for the bounty, since I'm an employee of Mozilla.
Group: bugzilla-security
(In reply to Xidorn Quan [:xidorn] (UTC+11) from comment #5) > I don't think I'm eligible for the bounty, since I'm an employee of Mozilla. Nevertheless, thank you for your report! Gerv
Flags: sec-bounty?
Component: Extensions: Review → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: