Closed Bug 619263 Opened 14 years ago Closed 14 years ago

Reflective XSS via Page History link on mozilla.org (filename outputted unencoded)

Categories

(www.mozilla.org :: General, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: firealwaysworks, Assigned: reed)

References

()

Details

(Keywords: wsec-xss, Whiteboard: [infrasec:xss][ws:high])

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Ubuntu/10.10 Chromium/7.0.517.44 Chrome/7.0.517.44 Safari/534.7
Build Identifier: 

Credit: Michael Brooks

Reproducible: Always
Assignee: nobody → reed
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [infrasec:xss][ws:high]
Caused by r48960.
Should be fixed in r79421. Will verify once the change is live.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Severity: major → critical
Priority: -- → P1
Summary: Reflective xss on www.mozilla.org. → Reflective XSS via Page History link (filename outputted unencoded)
Wow I am seriously impressed with this response time.
As I mentioned in bug 619842 comment 4, I don't think urlencode() is the best solution here. It probably would be better to use htmlspecialchars() or (my personal favorite) htmlentities() instead.
Summary: Reflective XSS via Page History link (filename outputted unencoded) → Reflective XSS via Page History link on mozilla.org (filename outputted unencoded)
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Flags: sec-bounty+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.