Closed
Bug 987940
Opened 11 years ago
Closed 11 years ago
arbitrary product name (text) injection in guided workflow
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: curtisk, Assigned: glob)
Details
(Keywords: reporter-external)
Date: Tue, 25 Mar 2014 12:11:58 -0400
From: "king haxor" <KingHaxorPHC@hackermail.com>
Subject: bug found in (https://bugzilla.mozilla.org)
To: security@mozilla.org
-----//-----
Hello mozila i found a bug in https://bugzilla.mozilla.org
following are the proof and explanation of bug :
OS: Windows 7
Browser : Mozilla Fire Fox
Bug Type : HTML INJECTION
Time & Date : 5:00 pm & 25-3-2014
Explanation of Bug :
When we open https://bugzilla.mozilla.org and we signup here when we login here and we click on NEW Tab as here image show => http://prntscr.com/3409x1
then we click on the fire fox tab as image show => http://prntscr.com/340abn
and the URL look like this => https://bugzilla.mozilla.org/enter_bug.cgi#h=dupes|Firefox+OS
If we see at the end of the URL we see Firefox+OS . Now when we try to remove this Firefox+OS from URL and try to put our Words as i put bug is here in the URL the the site look like this => https://bugzilla.mozilla.org/enter_bug.cgi#h=dupes|bug+is+here
Now when i put this address in the URL and press enter the page look like that the words which i put in the url " bug is here " shown on the page too as the image show that
=> http://prntscr.com/340brg
SO i think this is the bug called HTML INJECTION and so excited to be listed in the HOF of Mozilla
![]() |
Reporter | |
Comment 1•11 years ago
|
||
dveditz reproduced this and we've decied explicitly not to make this a hidden bug as we don't think it's a security issue as this is just text
This only happens with the guided workflow instance of a new users not using persona
Comment 2•11 years ago
|
||
"not" using persona? One of my persona-logged-in accounts was able to reproduce. Couldn't figure out how to turn on the guided new-bug flow for my main account (is it tied to canconfirm or editbugs?) but that's the default flow for most accounts.
Any html appears to be correctly escaped, but the product name can be arbitrary text. Could someone come up with something usefully spoofy to say there? Something embarrassing?
Component: Bugzilla Tweaks → Extensions: GuidedBugEntry
Flags: sec-bounty-
Summary: html injection in guided workflow → arbitrary product name (text) injection in guided workflow
(In reply to Curtis Koenig [:curtisk] from comment #1)
> This only happens with the guided workflow instance of a new users not using
> persona
this is not correct -- the guided bug entry form is used by default for any user that does not have canconfirm rights. there's no functional difference between "persona" and password backed accounts.
Severity: normal → trivial
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
f8a258d..b9793ff 4.2 -> 4.2
- redirects you back to the start if we get passed an invalid product name.
Assignee: nobody → glob
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Component: Extensions: GuidedBugEntry → Extensions
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•