Closed
Bug 66091
Opened 24 years ago
Closed 23 years ago
[meta] bugzilla leaks info about hidden bugs in several places
Categories
(Bugzilla :: Bugzilla-General, defect, P1)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
FIXED
Bugzilla 2.14
People
(Reporter: jruderman, Assigned: tara)
References
Details
(Keywords: meta, Whiteboard: security)
No description provided.
Reporter | ||
Comment 1•24 years ago
|
||
Starting with dependencies: 39524,39526,39527,39531,39533,65572
Comment 2•24 years ago
|
||
ping Tara.... As much as I hate to add something else to the 2.12 list, I think this one probably should be. Your opinion? As long as this bug is sitting here, there's an easy spot for anyone to come in and find out where all the security holes are in Bugzilla so they can exploit them. IOW, this probably needs to be fixed ASAP.
Reporter | ||
Comment 3•24 years ago
|
||
Adding bug 38852 (metabug for bugzilla holes that allow untrusted html code to appear to come from bugzilla.mozilla.org). Many of the bugs blocking 38852 could be exploited to hijack the bugzilla account of someone with permission to view hidden bugs. That would be more difficult than exploiting the other bugs listed here, but would give the attacker the ability to view all fields of a bug and to query for things like "open, hidden, and mstoltz cc'ed".
Depends on: 38852
Updated•24 years ago
|
Severity: normal → critical
OS: Linux → All
Hardware: PC → All
Comment 4•24 years ago
|
||
Adding endico & dmose to cc. With bug 39524 and bug 39526 everyone can view hidden bugs.
Comment 5•24 years ago
|
||
Should we hold 2.12 for these?
Comment 7•24 years ago
|
||
I think we should hold all of the permission viewing and unescaped param bugs for 2.12, and leave the other three for 2.14. None of those are particularly new issues.
Updated•23 years ago
|
Target Milestone: --- → Bugzilla 2.14
Assignee | ||
Updated•23 years ago
|
Priority: -- → P1
Comment 8•23 years ago
|
||
breaking the dependency link on 38852, since untrusted content is referring to HTML code and not hidden bugs. All of the bugs now dependent on this one have been fixed, therefore this is now fixed.
Reporter | ||
Comment 9•23 years ago
|
||
Most of the dependencies of bug 38852 could be used to see Netscape-confidential bugs. Here's how: 1. Create an html file that loads a page in bugzilla with some <script> stuff in the URL. The script might create an iframe and make it load a bugzilla query or bug number, take the innerHTML of the query results, and send that innerHTML off to the attacker. 2. Upload the attachment to bugzilla and make it look like a testcase for a bug that occurs at a top100 site. 3. Wait for someone with a netscape.com e-mail address to open the attachment. I don't mind this bug being marked as fixed, though, since the dependencies of bug 38852 are still being tracked and fixed rapidly.
Comment 10•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•