Closed
Bug 961656
Opened 11 years ago
Closed 11 years ago
XSS in report.cgi with real name of user
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 924932
People
(Reporter: hofusec, Unassigned)
Details
I have found a XSS vulnerability in Bugzilla 4.4:
Steps to reproduce:
- set the real name of a bugzilla user to " onmouseover=alert(1) style=" (including the ")
- go to “/query.cgi?format=report-table”
set Multiple Tables = 'Reporter real name'
set Detailed Bug Information → Bugs numbered, to a bug number submitted from the user
and submit the formular
- move the mouse over the generated html table, an alert box will appear
Comment 1•11 years ago
|
||
I cannot reproduce this on landfill:
https://landfill.bugzilla.org/bugzilla-4.4-branch/report.cgi?x_axis_field=&y_axis_field=&z_axis_field=reporter_realname&no_redirect=1&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=21928&bug_id_type=anyexact&votes=&votes_type=greaterthaneq&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailqa_contact2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap
What am I doing wrong?
Can you paste here the HTML around the point in the HTML where you see the XSS happen (i.e. where the unescaped value is printed)?
Gerv
Reporter | ||
Comment 2•11 years ago
|
||
Sorry, already fixed in 4.4.1.
Comment 3•11 years ago
|
||
OK. So can we resolve this bug?
Gerv
Updated•11 years ago
|
Assignee: general → charting
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Component: Bugzilla-General → Reporting/Charting
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•