XSS on hudson.mozilla.org

VERIFIED FIXED

Status

--
major
VERIFIED FIXED
8 years ago
5 years ago

People

(Reporter: firealwaysworks, Unassigned)

Tracking

({wsec-xss})

Details

(Whiteboard: [infrasec:xss][ws:high], URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: 


Both the GET and POST variables "lhs" are affected:
https://hudson.mozilla.org/projectRelationship?rhs=on&lhs=%22%20%3E%3C/input%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E&Submit=Compare


Reproducible: Always
mcoates has had luck in the past filing bugs at hudson's tracker
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 3

8 years ago
This issue still hasn't been patched and it can be used to obtain authentication credentials.
This slipped a bit.  Bug filed with Hudson.  We are on an old version, the solution might be just to update.

http://issues.hudson-ci.org/browse/HUDSON-8804
Whiteboard: [infrasec:xss][ws:high]
hudson.mozilla.org points to jenkins.mozilla.org.  i have tested this and it doesn't happen anymore.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: websites-security

Updated

6 years ago
Blocks: 836522
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.