[meta] untrusted content being sent or echoed to bugzilla users

RESOLVED FIXED in Bugzilla 2.14

Status

()

defect
P3
critical
RESOLVED FIXED
20 years ago
7 years ago

People

(Reporter: jruderman, Assigned: tara)

Tracking

({meta})

unspecified
Bugzilla 2.14
Other
Other
Dependency tree / graph

Details

(Whiteboard: security, )

this will be the meta bug for security issues that arise from bugzilla allowing 
untrusted content to come from bugzilla.mozilla.org.  see 
http://www.cert.org/advisories/CA-2000-02.html for information on the general 
problem.

incidentally, slashdot reported today that there is a worm floating around that 
exploits this problem on web-based e-mail sites that show .html attachments as 
text/html.  http://slashdot.org/article.pl?sid=00/05/10/1541244&mode=thread
adding some dependencies
Depends on: 13075, 38854, 38855, 38856, 38859, 38862
Depends on: 26257
Depends on: 39536
changing dependency on bug 13075 to dependency on bug 41906.
Depends on: 41906
No longer depends on: 13075
Bumping severity up to critical.

tara, please fix this bug (including all dependant bugs) ASAP. This bug is an
ideal way to exploit Mozilla's security holes.
Severity: normal → critical
Looking...
Status: NEW → ASSIGNED
is there code that will automatically authenticate content?
cyeh: ??
Keywords: meta
Depends on: 39537
Adding bug 45784.
Depends on: 45784
Blocks: 66091
Summary: [meta] bugzila security: issues with untrusted content → [meta] bugzilla security: issues with untrusted content
Whiteboard: security
No longer depends on: 21253
Summary: [meta] bugzilla security: issues with untrusted content → [meta] untrusted content being sent or echoed to bugzilla users
Depends on: 21253
Jesse, I just readded bug #21253 because I thought it was accidentally removed
due to the midair dependency bug, but someone pointed out that this might not be
the case ... if so just remove it again.  It's probably good practice to add a
comment if you remove a dep someone else added.
every remaining bug being tracked here is targetted at 2.14, so this should, too.
Target Milestone: --- → Bugzilla 2.14
Depends on: 87701
Note that some of these bugs might allow an attacker to view
Netscape-confidential bugs.  See my comments in bug 66091.
No longer depends on: 38862
No longer depends on: 26257
Should this also depend on bug#95235 ?
since all dependencies are resolved, the tracking bug is resolved.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.