Closed Bug 66091 Opened 24 years ago Closed 23 years ago

[meta] bugzilla leaks info about hidden bugs in several places

Categories

(Bugzilla :: Bugzilla-General, defect, P1)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla 2.14

People

(Reporter: jruderman, Assigned: tara)

References

Details

(Keywords: meta, Whiteboard: security) 

      No description provided.
Starting with dependencies: 39524,39526,39527,39531,39533,65572
Depends on: 39524, 39526, 39527, 39531, 39533, 65572
Keywords: meta
ping Tara....   

As much as I hate to add something else to the 2.12 list, I think this one 
probably should be.  Your opinion?

As long as this bug is sitting here, there's an easy spot for anyone to come in 
and find out where all the security holes are in Bugzilla so they can exploit 
them.  IOW, this probably needs to be fixed ASAP.

Adding bug 38852 (metabug for bugzilla holes that allow untrusted html code to 
appear to come from bugzilla.mozilla.org).  Many of the bugs blocking 38852 
could be exploited to hijack the bugzilla account of someone with permission to 
view hidden bugs.  That would be more difficult than exploiting the other bugs 
listed here, but would give the attacker the ability to view all fields of a 
bug and to query for things like "open, hidden, and mstoltz cc'ed".
Depends on: 38852
Severity: normal → critical
OS: Linux → All
Hardware: PC → All
Adding endico & dmose to cc. With bug 39524 and bug 39526 everyone can view
hidden bugs.
Should we hold 2.12 for these?
putting on security watch
Whiteboard: security
I think we should hold all of the permission viewing and unescaped param bugs
for 2.12, and leave the other three for 2.14.  None of those are particularly
new issues.
Depends on: 70189
Depends on: 82781
Target Milestone: --- → Bugzilla 2.14
Priority: -- → P1
breaking the dependency link on 38852, since untrusted content is referring to 
HTML code and not hidden bugs.  All of the bugs now dependent on this one have 
been fixed, therefore this is now fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
No longer depends on: 38852
Resolution: --- → FIXED
Most of the dependencies of bug 38852 could be used to see Netscape-confidential
bugs.  Here's how:

1. Create an html file that loads a page in bugzilla with some <script> stuff in
the URL.  The script might create an iframe and make it load a bugzilla query or
bug number, take the innerHTML of the query results, and send that innerHTML off
to the attacker.
2. Upload the attachment to bugzilla and make it look like a testcase for a bug
that occurs at a top100 site.
3. Wait for someone with a netscape.com e-mail address to open the attachment.

I don't mind this bug being marked as fixed, though, since the dependencies of
bug 38852 are still being tracked and fixed rapidly.
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Verified, since the Depends On bugs are fixed.
Status: RESOLVED → VERIFIED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.