this will be the meta bug for security issues that arise from bugzilla allowing untrusted content to come from bugzilla.mozilla.org. see http://www.cert.org/advisories/CA-2000-02.html for information on the general problem. incidentally, slashdot reported today that there is a worm floating around that exploits this problem on web-based e-mail sites that show .html attachments as text/html. http://slashdot.org/article.pl?sid=00/05/10/1541244&mode=thread
What about http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan ? Is this the same as bug #26257?
Bumping severity up to critical. tara, please fix this bug (including all dependant bugs) ASAP. This bug is an ideal way to exploit Mozilla's security holes.
Severity: normal → critical
Status: NEW → ASSIGNED
is there code that will automatically authenticate content?
Summary: [meta] bugzila security: issues with untrusted content → [meta] bugzilla security: issues with untrusted content
No longer depends on: 21253
Summary: [meta] bugzilla security: issues with untrusted content → [meta] untrusted content being sent or echoed to bugzilla users
Jesse, I just readded bug #21253 because I thought it was accidentally removed due to the midair dependency bug, but someone pointed out that this might not be the case ... if so just remove it again. It's probably good practice to add a comment if you remove a dep someone else added.
every remaining bug being tracked here is targetted at 2.14, so this should, too.
Target Milestone: --- → Bugzilla 2.14
Note that some of these bugs might allow an attacker to view Netscape-confidential bugs. See my comments in bug 66091.
Should this also depend on bug#95235 ?
since all dependencies are resolved, the tracking bug is resolved.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
You need to log in before you can comment on or make changes to this bug.