Closed
Bug 842063
Opened 11 years ago
Closed 11 years ago
HTML injection possible using the bug alias
Categories
(Bugzilla :: Creating/Changing Bugs, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 5.0
People
(Reporter: LpSolit, Assigned: LpSolit)
References
()
Details
(Keywords: regression, sec-low, wsec-xss)
Attachments
(1 file)
980 bytes,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
Due to bug 816266, the bug alias is now part of the <title> of bug reports. But the alias is not filtered and so it's now possible to inject HTML code into the page. See https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=1 for an example. Fortunately, the harm you can do is pretty limited (aliases cannot be longer than 20 characters), but it's enough to mess the display of bugs. This only affects trunk. Keeping the bug restricted till this bug is fixed.
Assignee | ||
Comment 1•11 years ago
|
||
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
Attachment #714818 -
Flags: review?(dkl)
Comment 2•11 years ago
|
||
(In reply to Frédéric Buclin from comment #0) > Fortunately, the harm you can do is pretty limited (aliases cannot be longer > than 20 characters), but it's enough to mess the display of bugs. <script src=//j.mp> is enough to do damage. :/
Keywords: sec-critical,
wsec-xss
Assignee | ||
Comment 3•11 years ago
|
||
(In reply to Reed Loden [:reed] from comment #2) > <script src=//j.mp> is enough to do damage. :/ No, whitespaces are not allowed in aliases. I doubt that you can write anything evil with 20 characters only and without any whitespace. And to exploit the vulnerability, you first have to write </title> to close the title, which leaves you 12 characters only.
Keywords: sec-critical,
wsec-xss
Updated•11 years ago
|
Comment 4•11 years ago
|
||
Comment on attachment 714818 [details] [diff] [review] patch, v1 r=dkl
Attachment #714818 -
Flags: review?(dkl) → review+
Assignee | ||
Updated•11 years ago
|
Flags: approval+
Assignee | ||
Comment 5•11 years ago
|
||
There has been no release with this security hole, so committing the patch now. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified template/en/default/bug/show-header.html.tmpl Committed revision 8584.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 6•11 years ago
|
||
curtisk: this bug really doesn't worth a bounty. It's not critical.
Updated•11 years ago
|
Flags: sec-bounty?
You need to log in
before you can comment on or make changes to this bug.
Description
•