961656 - XSS in report.cgi with real name of user

Status: RESOLVED DUPLICATE of bug 924932

(Bugzilla :: Reporting/Charting, defect)

Description

[Holger Fuhrmannek]

I have found a XSS vulnerability in Bugzilla 4.4:

Steps to reproduce:

- set the real name of a bugzilla user to " onmouseover=alert(1) style=" (including the ")
- go to “/query.cgi?format=report-table”
	set Multiple Tables = 'Reporter real name' 
	set Detailed Bug Information → Bugs numbered, to a bug number submitted from the user
and submit the formular
- move the mouse over the generated html table, an alert box will appear

Comment 1

[Gervase Markham [:gerv]]

I cannot reproduce this on landfill:

https://landfill.bugzilla.org/bugzilla-4.4-branch/report.cgi?x_axis_field=&y_axis_field=&z_axis_field=reporter_realname&no_redirect=1&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=21928&bug_id_type=anyexact&votes=&votes_type=greaterthaneq&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailqa_contact2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap

What am I doing wrong?

Can you paste here the HTML around the point in the HTML where you see the XSS happen (i.e. where the unescaped value is printed)?

Gerv

Comment 2

[Holger Fuhrmannek]

Sorry, already fixed in 4.4.1.

Comment 3

[Gervase Markham [:gerv]]

OK. So can we resolve this bug?

Gerv