Closed Bug 842063 Opened 11 years ago Closed 11 years ago

HTML injection possible using the bug alias

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 5.0

People

(Reporter: LpSolit, Assigned: LpSolit)

References

(
URL
)

Details

(Keywords: regression, sec-low, wsec-xss)

Attachments

(1 file)

patch, v1
980 bytes, patch
dkl
: review+
Details | Diff | Splinter Review 
Due to bug 816266, the bug alias is now part of the <title> of bug reports. But the alias is not filtered and so it's now possible to inject HTML code into the page. See https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=1 for an example.

Fortunately, the harm you can do is pretty limited (aliases cannot be longer than 20 characters), but it's enough to mess the display of bugs.

This only affects trunk. Keeping the bug restricted till this bug is fixed.
Attached patch patch, v1Splinter Review 
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED

        Attachment #714818 -
        Flags: review?(dkl)

    
    

    
  
(In reply to Frédéric Buclin from comment #0)
> Fortunately, the harm you can do is pretty limited (aliases cannot be longer
> than 20 characters), but it's enough to mess the display of bugs.

<script src=//j.mp> is enough to do damage. :/
Keywords: sec-critical, 
          
            wsec-xss

    
    

    
  
(In reply to Reed Loden [:reed] from comment #2)
> <script src=//j.mp> is enough to do damage. :/

No, whitespaces are not allowed in aliases. I doubt that you can write anything evil with 20 characters only and without any whitespace. And to exploit the vulnerability, you first have to write </title> to close the title, which leaves you 12 characters only.
Keywords: sec-critical, 
          
            wsec-xss

    
  
Keywords: sec-low, 
          
            wsec-xss

    
    

    
  
Comment on attachment 714818 [details] [diff] [review]
patch, v1

r=dkl

        Attachment #714818 -
        Flags: review?(dkl) → review+

    
  
Flags: approval+

    
    

    
  
There has been no release with this security hole, so committing the patch now.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/bug/show-header.html.tmpl
Committed revision 8584.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
curtisk: this bug really doesn't worth a bounty. It's not critical.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: