Closed Bug 1305717 Opened 9 years ago Closed 9 years ago

BMO: Persistent XSS via links to outdated git.mozilla.org repositories

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1305713

People

(Reporter: jwkbugzilla, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

BMO comments rewrite links to BMO repositories on git.mozilla.org to point to GitHub instead: https://git.mozilla.org/?p=webtools/bmo/bugzilla.git;a=tree [github] While the text stays unchanged here, target of the link has been modified. This is implemented as a format hook in extensions/BMO/Extension.pm. Format hooks run before HTML entities are escaped in the text and are responsible for escaping their results themselves - this particular hook fails to do it. So the following link will run JavaScript code if you remove the space from it: https://git.mozilla.org/?p=webtools/bmo/bugzilla "><iframe/onload=alert(document.domain)>.git;a=tree Without the space this link would display an alert saying "bugzilla.mozilla.org". You don't need to create a new bug in order to test this, entering the text into a comment and switching to the preview tab will already display the alert.
Flags: sec-bounty?
To git@git.mozilla.org/foobar.git 1234..4321 master<iframe/onload=alert(document.domain)> -> master https://git.mozilla.org/?p=webtools/bmo/bugzilla "><iframe/onload=alert(document.domain)>.git;a=tree
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: websites-security → bugzilla-security
Component: Other → Extensions: Other
Product: Websites → bugzilla.mozilla.org
Version: unspecified → Production
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → May not be a dupe wrt the bounty [reporter-external] [web-bounty-form] [verif?]
This is from the same cause as bug 1305713 and would have been fixed without this second report (re-reviewing the original code change that introduced the bug).
Whiteboard: May not be a dupe wrt the bounty [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form] [verif?]
Flags: sec-bounty? → sec-bounty-
Could this be made visible as well, with the issue fixed in bug 1305713?
Flags: needinfo?(dkl)
Done
Group: bugzilla-security
Flags: needinfo?(dkl)
Component: Extensions: Other → Extensions
You need to log in before you can comment on or make changes to this bug.