+++ This bug was initially created as a clone of Bug #675050 +++ Issue There is an XSS attack possible on bugzilla.mozilla.org. The type of XSS attack is enabled by character encoding detection behaviour that allows the browser to switch between encodings within the same page. This vulnerability appears to be exploitable only in Internet Explorer 6, with the following options set: 1. load page with text encoding - > auto select unchecked 2. change text encoding -> auto select to enabled Steps to Reproduce 1. File a new bug, and set the summary to +ADw-/title+AD4-+ADw-script+AD4-alert()+ADw-/script+AD4- 2. Submit the bug or see https://bugzilla.mozilla.org/show_bug.cgi?id=674460 Recommendation 1. Upgrade your browser :) 2. Implement code to filter UTF-7 control characters. 3. Implement output encoding to detect and encode UTF-7 control characters as HTML entities to prevent content sniffing.
Since this bug seems to affect only a rare use case for Internet Explorer 6.0 we are not fixing it in other areas it has been detected.
If there is a vulnerability which is not patched, then the bug is not FIXED (but could be WONTFIX'ed).
For clarification, setting it to fixed was a mistake, and the infrasec team will not be pushing for a fix on this issue. My apologies for the confusion.
Wow, so this only happens if the user *manually* chooses to enable auto-select after the page has already loaded? If that's the case, then this is WONTFIX and we should remove the security flag.
(In reply to comment #5) > Wow, so this only happens if the user *manually* chooses to enable > auto-select after the page has already loaded? Yes. I tried to enable it before loading the page, but in this case, this doesn't trigger anything. I agree to close this bug as WONTFIX. But should we keep it private till IE6 EOL?
mcoates said it's fine to remove the security flag.