The shutdownhtml and announcehtml parameters are not filtered, which can lead to XSS

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
6 years ago
6 years ago

People

(Reporter: insecurity.ro, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 655413 [details]
bugzilla.jpg

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Well, we have xss on bugzilla 4.2.2

I make test on https://ortkn3f8ft9v.demo.bugzilla.org use https://landfill.bugzilla.org


Actual results:

It's here:

https://ortkn3f8ft9v.demo.bugzilla.org/editparams.cgi?section=general

I put our xss code on all (yes stupid, but for test) fields and we can see our xss.

Our xss code for test:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><marquee>your running text</marquee>

Video:

http://www.youtube.com/watch?v=VIaya0hDjR8&feature=youtu.be


Expected results:

I don't know, it's bug, but it's only in admin settings. 

I search again and if i found other i send this later.

Comment 2

6 years ago
This page is for admins only, and they need to be able to put the code they want there. That's  the exact purpose of shutdownhtml and announcehtml, for instance. If you cannot trust your own admins, you are in trouble. So this behavior is intentional and per design.
Assignee: nobody → administration
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Component: General → Administration
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Resolution: --- → WORKSFORME
Version: Production → 4.2.2

Comment 3

6 years ago
(and let's put a meaningful summary, for the record)
Summary: bugzilla.org cross site scripting 4.2.2 version → The shutdownhtml and announcehtml parameters are not filtered, which can lead to XSS
You need to log in before you can comment on or make changes to this bug.