Closed
Bug 785696
Opened 12 years ago
Closed 12 years ago
The shutdownhtml and announcehtml parameters are not filtered, which can lead to XSS
Categories
(Bugzilla :: Administration, task)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: insecurity.ro, Unassigned)
Details
Attachments
(1 file)
177.40 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: Well, we have xss on bugzilla 4.2.2 I make test on https://ortkn3f8ft9v.demo.bugzilla.org use https://landfill.bugzilla.org Actual results: It's here: https://ortkn3f8ft9v.demo.bugzilla.org/editparams.cgi?section=general I put our xss code on all (yes stupid, but for test) fields and we can see our xss. Our xss code for test: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><marquee>your running text</marquee> Video: http://www.youtube.com/watch?v=VIaya0hDjR8&feature=youtu.be Expected results: I don't know, it's bug, but it's only in admin settings. I search again and if i found other i send this later.
https://ortkn3f8ft9v.demo.bugzilla.org/index.cgi?logout=1 persistent xss.
Comment 2•12 years ago
|
||
This page is for admins only, and they need to be able to put the code they want there. That's the exact purpose of shutdownhtml and announcehtml, for instance. If you cannot trust your own admins, you are in trouble. So this behavior is intentional and per design.
Assignee: nobody → administration
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Component: General → Administration
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Resolution: --- → WORKSFORME
Version: Production → 4.2.2
Comment 3•12 years ago
|
||
(and let's put a meaningful summary, for the record)
Summary: bugzilla.org cross site scripting 4.2.2 version → The shutdownhtml and announcehtml parameters are not filtered, which can lead to XSS
You need to log in
before you can comment on or make changes to this bug.
Description
•