Add user functionality contains html injection vulnerability
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
People
(Reporter: sheetaldgreat, Unassigned)
Details
Attachments
(1 file)
|
69.85 KB,
image/jpeg
|
Details |
hacked.jpg
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Steps to reproduce:
Login to the bugzilla with valid admin user and password.
Go to Administration-->Users-->Add a new user.
Enter 'test' in login name,test in real name, test@123 in password. Made it admin user.
Enter <h1>Hacked</h1> in Disable text field and click on add button.
Now, login the bugzilla with test user.
Actual results:
A message appeared on the screen that "Hacked.If you believe your account should be restored,please send email to explaining why".
Expected results:
Normal login functionality should work.
|
||
Comment 1•3 years ago
|
||
This is intentional behavior. If the "Disable text" field has anything in it, this causes the user to be locked out. It allows HTML input because it allows the administrator to include links or other formatting in the message displayed to the user to inform them that they've been locked out, and the administrator is considered trusted when entering HTML since they could do far worse simply by having admin access to the Bugzilla instance.
I will leave this bug report hidden for a couple days to give you the opportunity to convince me otherwise if you have other evidence.
|
|
||
Comment 2•3 years ago
|
||
It's been just shy of a week with no additional updates, so I'm going to go ahead and remove the security flag.
Description
•