Persistent XSS in bugzilla.mozilla.org

RESOLVED INVALID

Status

()

RESOLVED INVALID
6 years ago
6 years ago

People

(Reporter: plitvix, Unassigned)

Tracking

(Blocks: 1 bug)

Production
Other
Other

Details

(URL)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Created a new bug, added 
data:text/html;base64whdfghdfgh,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
as URL.


Actual results:

As user clicks on that link, javascript code that is encoded in base64 will get executed.
I know it is a long shot, but beter safe than sorry.


Expected results:

check if url begins with http:// or https:// and prevent data: urls.
When I click that link in the url field, I get an alert saying the URL is unsafe and could potentially be harmful and asking me whether I really want to open it, precisely because it would run the JS if followed.  Are you not getting that alert?
Indeed, I don't see any problem. This seems to be working as expected...
Group: core-security → bugzilla-security
Component: Security → General
Product: Core → bugzilla.mozilla.org
Version: unspecified → Production
A warning is thrown for any unsafe or unrecognized values entered in the URL field before the value is used. So I don't see as this being a concern as the user is properly warned.

dkl
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
Group: bugzilla-security
(Reporter)

Comment 5

6 years ago
Sorry for this, I should have checked that proper URLs don't need confirmations.
But why keeping this, and not filtering it like Bug URLS (cant submit if no http or https)?
(In reply to plitvix from comment #5)
> Sorry for this, I should have checked that proper URLs don't need
> confirmations.
> But why keeping this, and not filtering it like Bug URLS (cant submit if no
> http or https)?

Because it's useful for Mozilla developers who deal with data: and javascript: URLs. By default, Bugzilla will not allow such URLs. This is a bugzilla.mozilla.org-only customization, as requested by our developers.

Updated

6 years ago
Blocks: 835424
You need to log in before you can comment on or make changes to this bug.