Closed
Bug 619442
Opened 14 years ago
Closed 14 years ago
XSS in showbuilds.cgi due to lack of URI encoding in open_showbuilds_url()
Categories
(Webtools Graveyard :: Tinderbox, defect)
Webtools Graveyard
Tinderbox
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: firealwaysworks, Assigned: reed)
References
()
Details
(Keywords: wsec-xss, Whiteboard: [infrasec:xss][ws:high])
Attachments
(1 file)
|
938 bytes,
patch
|
bear
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10
Build Identifier:
Open the page and scroll to the very bottom. The injected <script> tag is visible, and the html of the page is malformed.
Reproducible: Always
Steps to Reproduce:
1.Click on link
2.view page source
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → reed
Severity: major → critical
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
Summary: XSS → XSS in showbuilds.cgi via 'noignore' parameter
Whiteboard: [infrasec:xss][ws:high]
|
|
Assignee | |
Updated•14 years ago
|
Summary: XSS in showbuilds.cgi via 'noignore' parameter → XSS in showbuilds.cgi due to lack of URI encoding in open_showbuilds_url()
|
|
Assignee | |
Comment 1•14 years ago
|
||
Attachment #497877 -
Flags: review?
|
||
Updated•14 years ago
|
Attachment #497877 -
Flags: review? → review+
|
|
Assignee | |
Comment 2•14 years ago
|
||
Checking in showbuilds.pl;
/cvsroot/mozilla/webtools/tinderbox/showbuilds.pl,v <-- showbuilds.pl
new revision: 1.46; previous revision: 1.45
done
Filing bug for push now.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•14 years ago
|
Group: webtools-security
|
|
||
Comment 4•14 years ago
|
||
Verified fix in prod. (we should be verifying and marking as such before opening bugs.)
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 5•14 years ago
|
||
(In reply to comment #4)
> Verified fix in prod. (we should be verifying and marking as such before
> opening bugs.)
FTR, I did verify it when the fix was originally pushed.
|
|
||
Comment 6•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Updated•11 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•