Closed
Bug 235265
Opened 19 years ago
Closed 19 years ago
Url-parameter XSS vulnerability in edit*.cgi
Categories
(Bugzilla :: Administration, task)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: jouni, Assigned: jouni)
References
Details
(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])
Attachments
(1 file)
2.90 KB,
patch
|
justdave
:
review+
kiko
:
review+
|
Details | Diff | Splinter Review |
This is a minor one, but still: If you manage to get an Bugzilla administrator to click an url like http://bugzilla.mozilla.org/editmilestones.cgi?product=foo&milestone=bar&action=baz&hack=%3Cscript%3Ealert('hax0red')%3C/script%3E The JavaScript is run in Bugzilla's security context, potentially leaking cookies and so on.
Comment 1•19 years ago
|
||
Yipee. That's rather stupid. :) editcomponents.cgi:860: print "$_: $::FORM{$_}<BR>\n"; editgroups.cgi:646: print "$_: $::FORM{$_}<BR>\n"; editmilestones.cgi:573: print "$_: $::FORM{$_}<BR>\n"; editproducts.cgi:1516: print "$_: $::FORM{$_}<BR>\n"; editusers.cgi:873: print "$_: $::FORM{$_}<BR>\n"; editversions.cgi:548: print "$_: $::FORM{$_}<BR>\n";
Updated•19 years ago
|
Summary: Url-parameter XSS vulnerability in editmilestones.cgi and editversions.cgi → Url-parameter XSS vulnerability in edit*.cgi
Comment 2•19 years ago
|
||
Suggested fix: since the "I have no clue what you want" is based on the action param, only dump the action param, and not the entire param list. (And escape it, too).
Assignee | ||
Comment 3•19 years ago
|
||
I might even go further and remove the parameter printing totally. Who would ever benefit even from printing out the action param? Duh.
Comment 4•19 years ago
|
||
Yeah, I agree. Get rid of all of them.
Blocks: 206037
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]
Assignee | ||
Comment 6•19 years ago
|
||
Duh.
Assignee | ||
Updated•19 years ago
|
Attachment #142351 -
Flags: review?(justdave)
Assignee | ||
Comment 7•19 years ago
|
||
The patch fails for those admin files that have their loops already removed (see bug 235222 patch v3). That's probably not relevant, since the bitrot is only about removing some lines that have already been removed elsewhere; the patch errors can just be skipped.
Status: NEW → ASSIGNED
Updated•19 years ago
|
Attachment #142351 -
Flags: review?(kiko)
Comment 8•19 years ago
|
||
Comment on attachment 142351 [details] [diff] [review] v1 no-brainer
Attachment #142351 -
Flags: review?(kiko) → review+
Updated•19 years ago
|
Flags: approval?
Comment 9•19 years ago
|
||
Since this is ready now, are we still pushing this for 2.18rc1 or we're doing it for 2.17.7? Or maybe 2.17.7 got renamed to rc1? I assume we'll have to do the security advisory thing and stuff for this before checking it in.
Updated•19 years ago
|
Attachment #142351 -
Flags: review?(justdave)
Comment 10•19 years ago
|
||
holding approval for security advisory/release. This will get checked in last thing prior to the release getting tagged.
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Target Milestone: --- → Bugzilla 2.16
Updated•19 years ago
|
Flags: blocking2.18+
Flags: blocking2.16.6+
Flags: approval2.16?
Comment 11•19 years ago
|
||
OK, check let's check this in NOW on the trunk (but hold off on 2.16 for now). We have too many other patches pending on the trunk that are going to conflict with this, and it's getting in the way big time. Just keep the commit log message low profile for now. "removing un-needed form value display code" or something along those lines.
Flags: approval? → approval+
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [fixed in 2.18rc1]
Comment 12•19 years ago
|
||
ok, checked in on the trunk.
Updated•19 years ago
|
Flags: approval2.16? → approval2.16+
Comment 13•19 years ago
|
||
checked in on 2.16 branch
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Whiteboard: [ready for 2.16.6] [fixed in 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Updated•10 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•