Created attachment 655413 [details] bugzilla.jpg User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: Well, we have xss on bugzilla 4.2.2 I make test on https://ortkn3f8ft9v.demo.bugzilla.org use https://landfill.bugzilla.org Actual results: It's here: https://ortkn3f8ft9v.demo.bugzilla.org/editparams.cgi?section=general I put our xss code on all (yes stupid, but for test) fields and we can see our xss. Our xss code for test: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><marquee>your running text</marquee> Video: http://www.youtube.com/watch?v=VIaya0hDjR8&feature=youtu.be Expected results: I don't know, it's bug, but it's only in admin settings. I search again and if i found other i send this later.
https://ortkn3f8ft9v.demo.bugzilla.org/index.cgi?logout=1 persistent xss.
This page is for admins only, and they need to be able to put the code they want there. That's the exact purpose of shutdownhtml and announcehtml, for instance. If you cannot trust your own admins, you are in trouble. So this behavior is intentional and per design.
Assignee: nobody → administration
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Component: General → Administration
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Resolution: --- → WORKSFORME
Version: Production → 4.2.2
(and let's put a meaningful summary, for the record)
Summary: bugzilla.org cross site scripting 4.2.2 version → The shutdownhtml and announcehtml parameters are not filtered, which can lead to XSS
You need to log in before you can comment on or make changes to this bug.