XSS vulnerability in disabled text field of users

RESOLVED DUPLICATE of bug 319091

Status

()

RESOLVED DUPLICATE of bug 319091
6 years ago
6 years ago

People

(Reporter: insecurity.ro, Unassigned)

Tracking

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Build ID: 20120306064154

Steps to reproduce:

It's only in admin settings, add user.




Actual results:

PoC:

(use mozilla firefox or other browser without plugins)


https://1zxl51jv7q3c.demo.bugzilla.org/index.cgi

test account (with our xss code):

login: test@test.ru 

password: 112233

Video:

http://www.youtube.com/watch?v=m8_8aQ22wNw&feature=youtu.be

Vuln field:

https://1zxl51jv7q3c.demo.bugzilla.org/editusers.cgi?action=add
(Disable text --> we can here our xss code)


Expected results:

I don't know, it's only with admin account.
This has nothing to do with BMO, they don't even run the 4.2.2 version. Moving to Bugzilla Product itself for triage.
Assignee: nobody → user-accounts
Component: General → User Accounts
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Summary: bugzilla.mozilla.org 4.2.2 "add user" vuln to xss code → XSS vulnerability in disabled text field of users
Version: Production → 4.2.2
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 319091

Updated

6 years ago
Assignee: user-accounts → administration
Group: bugzilla-security
Component: User Accounts → Administration
You need to log in before you can comment on or make changes to this bug.