Closed Bug 675080 Opened 13 years ago Closed 13 years ago

UTF-7 XSS in Bugzilla when using Internet Explorer 6

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ygjb, Unassigned)

Details

(Whiteboard: [infrasec:xss][ws:low]) 

+++ This bug was initially created as a clone of Bug #675050 +++

Issue

There is an XSS attack possible on bugzilla.mozilla.org.  The type of XSS attack is enabled by character encoding detection behaviour that allows the browser to switch between encodings within the same page.

This vulnerability appears to be exploitable only in Internet Explorer 6, with the following options set:
1. load page with text encoding - > auto select unchecked
2. change text encoding -> auto select to enabled


Steps to Reproduce
1. File a new bug, and set the summary to +ADw-/title+AD4-+ADw-script+AD4-alert()+ADw-/script+AD4-
2. Submit the bug

or see https://bugzilla.mozilla.org/show_bug.cgi?id=674460

Recommendation
1. Upgrade your browser :)
2. Implement code to filter UTF-7 control characters.
3. Implement output encoding to detect and encode UTF-7 control characters as HTML entities to prevent content sniffing.
Since this bug seems to affect only a rare use case for Internet Explorer 6.0 we are not fixing it in other areas it has been detected.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [infrasec:xss][ws:low]
If there is a vulnerability which is not patched, then the bug is not FIXED (but could be WONTFIX'ed).
Group: bugzilla-security
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → NEW
For clarification, setting it to fixed was a mistake, and the infrasec team will not be pushing for a fix on this issue.  My apologies for the confusion.
Wow, so this only happens if the user *manually* chooses to enable auto-select after the page has already loaded? If that's the case, then this is WONTFIX and we should remove the security flag.
(In reply to comment #5)
> Wow, so this only happens if the user *manually* chooses to enable
> auto-select after the page has already loaded?

Yes. I tried to enable it before loading the page, but in this case, this doesn't trigger anything. I agree to close this bug as WONTFIX. But should we keep it private till IE6 EOL?
Severity: normal → minor
Status: NEW → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → WONTFIX
mcoates said it's fine to remove the security flag.
Group: bugzilla-security
Summary: UTF-7 XSS in Bugzilla → UTF-7 XSS in Bugzilla when using Internet Explorer 6
You need to log in before you can comment on or make changes to this bug.