785696 - The shutdownhtml and announcehtml parameters are not filtered, which can lead to XSS

Status: RESOLVED WORKSFORME

(Bugzilla :: Administration, task)

Description

[Sony]

Attachment: bugzilla.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Well, we have xss on bugzilla 4.2.2

I make test on https://ortkn3f8ft9v.demo.bugzilla.org use https://landfill.bugzilla.org


Actual results:

It's here:

https://ortkn3f8ft9v.demo.bugzilla.org/editparams.cgi?section=general

I put our xss code on all (yes stupid, but for test) fields and we can see our xss.

Our xss code for test:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><marquee>your running text</marquee>

Video:

http://www.youtube.com/watch?v=VIaya0hDjR8&feature=youtu.be


Expected results:

I don't know, it's bug, but it's only in admin settings. 

I search again and if i found other i send this later.

Comment 1

[Sony]

https://ortkn3f8ft9v.demo.bugzilla.org/index.cgi?logout=1

persistent xss.

Comment 2

[Frédéric Buclin]

This page is for admins only, and they need to be able to put the code they want there. That's  the exact purpose of shutdownhtml and announcehtml, for instance. If you cannot trust your own admins, you are in trouble. So this behavior is intentional and per design.

Comment 3

[Frédéric Buclin]

(and let's put a meaningful summary, for the record)