Closed Bug 1195598 Opened 5 years ago Closed 5 years ago

backport bug 1033068 to bmo (The "unknown_action" error message could confuse the user)


( :: General, defect, minor)

Not set





(Reporter: 1110vijaykumar, Assigned: glob)


(Keywords: sec-low, Whiteboard: fixed upstream in bug 1033068)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

Bug type : Command injection(Text based injection)
OWASP Link :
Bug Description : Action Parameter is open for user's input and you can trick any user to follow the instructions because It's on verifies mozilla's Website.

POC Link :,%20go%20to%20the%20mozilla%20security%20portal%20

Actual results:

I am able to inject any text on bugzilla through URL.

Expected results:

Error Output  should only be provided from server side.User's Text should not be provided as Output.In order to prevent this either you can set default error message Like 404 or may provide your own Error message.
This bug has already been fixed upstream since Bugzilla 4.4. You cannot inject any command such as HTML code or script.
Group: bugzilla-security
Severity: normal → minor
Closed: 5 years ago
Resolution: --- → DUPLICATE
Summary: Command Injection in Bugzilla → Text Injection in Bugzilla
Duplicate of bug: 1033068
Hi Team,

Link provided by me is completely different from mentioned duplicate report.
Link :[Text Injection]
Which is currently working.It's in Attachment Error with Action parameter.
But the link which you have provided as duplicate is :
Link :[Text injection]
This one looks Fix to me.This is in Parameter a with Token cgi which is completely different.

So both are in different parameters and The link which i have provided is completely different URL and parameter included in it.

Kindly Re check again for moderation and Let me know if you need more info regarding this.

Best Regards !
Vijay Kumar
Resolution: DUPLICATE → ---
Group: bugzilla-security
This is, indeed, the same issue as bug 1033068 as can be seen by trying your example against a server that contains the upstream fix. In that bug you can see that patch is a fix was to the global error handling page and not specific to the parameter being used.


Converting this bug to one requesting that fix be applied to BMO (otherwise if we want to wait until we upgrade to 4.4 then this is a dupe).
Ever confirmed: true
Flags: sec-bounty?
Keywords: sec-low
Summary: Text Injection in Bugzilla → Import the bug 1033068 spoofing fix from upstream
Whiteboard: fixed upstream in bug 1033068
Assignee: nobody → glob
Summary: Import the bug 1033068 spoofing fix from upstream → backport bug 1033068 to bmo (The "unknown_action" error message could confuse the user)
To ssh://
   8dd0fac..c8869c1  master -> master
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Group: bugzilla-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.