If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

BMO: Persistent XSS via links to outdated git.mozilla.org repositories

RESOLVED DUPLICATE of bug 1305713

Status

()

bugzilla.mozilla.org
Extensions: Other
RESOLVED DUPLICATE of bug 1305713
a year ago
a year ago

People

(Reporter: Wladimir Palant, Unassigned)

Tracking

Production
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

(Reporter)

Description

a year ago
BMO comments rewrite links to BMO repositories on git.mozilla.org to point to GitHub instead:

  https://git.mozilla.org/?p=webtools/bmo/bugzilla.git;a=tree [github]

While the text stays unchanged here, target of the link has been modified. This is implemented as a format hook in extensions/BMO/Extension.pm. Format hooks run before HTML entities are escaped in the text and are responsible for escaping their results themselves - this particular hook fails to do it. So the following link will run JavaScript code if you remove the space from it:

  https://git.mozilla.org/?p=webtools/bmo/bugzilla "><iframe/onload=alert(document.domain)>.git;a=tree

Without the space this link would display an alert saying "bugzilla.mozilla.org". You don't need to create a new bug in order to test this, entering the text into a comment and switching to the preview tab will already display the alert.
Flags: sec-bounty?
To git@git.mozilla.org/foobar.git
   1234..4321  master<iframe/onload=alert(document.domain)> -> master

https://git.mozilla.org/?p=webtools/bmo/bugzilla "><iframe/onload=alert(document.domain)>.git;a=tree

Updated

a year ago
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1305713
Group: websites-security → bugzilla-security
Component: Other → Extensions: Other
Product: Websites → bugzilla.mozilla.org
Version: unspecified → Production
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → May not be a dupe wrt the bounty [reporter-external] [web-bounty-form] [verif?]
This is from the same cause as bug 1305713 and would have been fixed without this second report (re-reviewing the original code change that introduced the bug).
Whiteboard: May not be a dupe wrt the bounty [reporter-external] [web-bounty-form] [verif?] → [reporter-external] [web-bounty-form] [verif?]
Flags: sec-bounty? → sec-bounty-
(Reporter)

Comment 4

a year ago
Could this be made visible as well, with the issue fixed in bug 1305713?
Flags: needinfo?(dkl)
Done
Group: bugzilla-security
Flags: needinfo?(dkl)
You need to log in before you can comment on or make changes to this bug.