UTF-7 XSS in Bugzilla when using Internet Explorer 6

RESOLVED WONTFIX

Status

()

Bugzilla
Bugzilla-General
--
minor
RESOLVED WONTFIX
7 years ago
5 years ago

People

(Reporter: ygjb, Unassigned)

Tracking

(Blocks: 1 bug)

Details

(Whiteboard: [infrasec:xss][ws:low])

(Reporter)

Description

7 years ago
+++ This bug was initially created as a clone of Bug #675050 +++

Issue

There is an XSS attack possible on bugzilla.mozilla.org.  The type of XSS attack is enabled by character encoding detection behaviour that allows the browser to switch between encodings within the same page.

This vulnerability appears to be exploitable only in Internet Explorer 6, with the following options set:
1. load page with text encoding - > auto select unchecked
2. change text encoding -> auto select to enabled


Steps to Reproduce
1. File a new bug, and set the summary to +ADw-/title+AD4-+ADw-script+AD4-alert()+ADw-/script+AD4-
2. Submit the bug

or see https://bugzilla.mozilla.org/show_bug.cgi?id=674460

Recommendation
1. Upgrade your browser :)
2. Implement code to filter UTF-7 control characters.
3. Implement output encoding to detect and encode UTF-7 control characters as HTML entities to prevent content sniffing.
(Reporter)

Comment 1

7 years ago
Since this bug seems to affect only a rare use case for Internet Explorer 6.0 we are not fixing it in other areas it has been detected.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
No longer depends on: 675050
Resolution: --- → FIXED
Whiteboard: [infrasec:xss][ws:low]

Comment 3

7 years ago
If there is a vulnerability which is not patched, then the bug is not FIXED (but could be WONTFIX'ed).
Group: bugzilla-security
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → NEW
(Reporter)

Comment 4

7 years ago
For clarification, setting it to fixed was a mistake, and the infrasec team will not be pushing for a fix on this issue.  My apologies for the confusion.

Comment 5

6 years ago
Wow, so this only happens if the user *manually* chooses to enable auto-select after the page has already loaded? If that's the case, then this is WONTFIX and we should remove the security flag.

Comment 6

6 years ago
(In reply to comment #5)
> Wow, so this only happens if the user *manually* chooses to enable
> auto-select after the page has already loaded?

Yes. I tried to enable it before loading the page, but in this case, this doesn't trigger anything. I agree to close this bug as WONTFIX. But should we keep it private till IE6 EOL?
Severity: normal → minor
Status: NEW → RESOLVED
Last Resolved: 7 years ago6 years ago
Resolution: --- → WONTFIX

Comment 7

6 years ago
mcoates said it's fine to remove the security flag.
Group: bugzilla-security
Summary: UTF-7 XSS in Bugzilla → UTF-7 XSS in Bugzilla when using Internet Explorer 6

Updated

5 years ago
Blocks: 835424
You need to log in before you can comment on or make changes to this bug.