Closed
Bug 1254675
Opened 8 years ago
Closed 8 years ago
bug_modal template fails to escape format parameter
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: dkl)
Details
(Keywords: sec-low)
Attachments
(1 file)
|
783 bytes,
patch
|
dylan
:
review+
|
Details | Diff | Splinter Review |
The template extensions/BugModal/template/en/default/bug_modal/edit.html.tmpl contains the following line: > [%~ '&format=' _ cgi.param("format") IF cgi.param("format") %]" Note the query parameter "format" being inserted unescaped. The assumption seems to be that this parameter is safe. That's not really the case however, consider the following URL: > https://bugzilla.mozilla.org/show_bug.cgi?id=490047&format=%22%3E%3Cmo%20dal=%22//1.2.3.4%22%3E If you look at the this-bug element in the source code, the format parameter not only escaped the attribute, it inserted a tag <mo dal="//1.2.3.4"> into the page. The only reason why this doesn't seem to be exploitable - you cannot add any more letters and building a malicious payload having only the letters "modal" at your disposal is hard.
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → dkl
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•8 years ago
|
||
Attachment #8728091 -
Flags: review?(dylan)
|
||
Comment 2•8 years ago
|
||
Comment on attachment 8728091 [details] [diff] [review] 1254675_1.patch Review of attachment 8728091 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan
Attachment #8728091 -
Flags: review?(dylan) → review+
|
|
Assignee | |
Comment 3•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 0b7cd97..ad2b169 master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•