[meta] untrusted content being sent or echoed to bugzilla users

RESOLVED FIXED in Bugzilla 2.14

Status

()

P3
critical
RESOLVED FIXED
19 years ago
6 years ago

People

(Reporter: jruderman, Assigned: tara)

Tracking

({meta})

unspecified
Bugzilla 2.14
Other
Other
Dependency tree / graph

Details

(Whiteboard: security, URL)

(Reporter)

Description

19 years ago
this will be the meta bug for security issues that arise from bugzilla allowing 
untrusted content to come from bugzilla.mozilla.org.  see 
http://www.cert.org/advisories/CA-2000-02.html for information on the general 
problem.

incidentally, slashdot reported today that there is a worm floating around that 
exploits this problem on web-based e-mail sites that show .html attachments as 
text/html.  http://slashdot.org/article.pl?sid=00/05/10/1541244&mode=thread
(Reporter)

Comment 1

19 years ago
adding some dependencies
Depends on: 13075, 38854, 38855, 38856, 38859, 38862
(Reporter)

Updated

19 years ago
Depends on: 26257
(Reporter)

Updated

19 years ago
Depends on: 39536
(Reporter)

Comment 3

19 years ago
changing dependency on bug 13075 to dependency on bug 41906.
Depends on: 41906
No longer depends on: 13075

Comment 4

19 years ago
Bumping severity up to critical.

tara, please fix this bug (including all dependant bugs) ASAP. This bug is an
ideal way to exploit Mozilla's security holes.
Severity: normal → critical
(Assignee)

Comment 5

19 years ago
Looking...
Status: NEW → ASSIGNED

Comment 6

18 years ago
is there code that will automatically authenticate content?

Comment 7

18 years ago
cyeh: ??
(Reporter)

Updated

18 years ago
Keywords: meta
(Reporter)

Updated

18 years ago
Depends on: 39537
(Reporter)

Comment 8

18 years ago
Adding bug 45784.
Depends on: 45784
(Reporter)

Updated

18 years ago
Blocks: 66091

Updated

18 years ago
Summary: [meta] bugzila security: issues with untrusted content → [meta] bugzilla security: issues with untrusted content
Whiteboard: security
(Reporter)

Updated

18 years ago
No longer depends on: 21253
Summary: [meta] bugzilla security: issues with untrusted content → [meta] untrusted content being sent or echoed to bugzilla users
Depends on: 21253
Jesse, I just readded bug #21253 because I thought it was accidentally removed
due to the midair dependency bug, but someone pointed out that this might not be
the case ... if so just remove it again.  It's probably good practice to add a
comment if you remove a dep someone else added.
every remaining bug being tracked here is targetted at 2.14, so this should, too.
Target Milestone: --- → Bugzilla 2.14
(Reporter)

Updated

18 years ago
Depends on: 87701
(Reporter)

Comment 11

18 years ago
Note that some of these bugs might allow an attacker to view
Netscape-confidential bugs.  See my comments in bug 66091.
No longer depends on: 38862
No longer depends on: 26257

Comment 12

17 years ago
Should this also depend on bug#95235 ?
since all dependencies are resolved, the tracking bug is resolved.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.