Closed Bug 987940 Opened 11 years ago Closed 11 years ago

arbitrary product name (text) injection in guided workflow

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Production
defect
Not set
trivial

Tracking

()

RESOLVED FIXED

People

(Reporter: curtisk, Assigned: glob)

Details

(Keywords: reporter-external)

Date: Tue, 25 Mar 2014 12:11:58 -0400 From: "king haxor" <KingHaxorPHC@hackermail.com> Subject: bug found in (https://bugzilla.mozilla.org) To: security@mozilla.org -----//----- Hello mozila i found a bug in https://bugzilla.mozilla.org following are the proof and explanation of bug : OS: Windows 7 Browser : Mozilla Fire Fox Bug Type : HTML INJECTION Time & Date : 5:00 pm & 25-3-2014 Explanation of Bug : When we open https://bugzilla.mozilla.org and we signup here when we login here and we click on NEW Tab as here image show => http://prntscr.com/3409x1 then we click on the fire fox tab as image show => http://prntscr.com/340abn and the URL look like this => https://bugzilla.mozilla.org/enter_bug.cgi#h=dupes|Firefox+OS If we see at the end of the URL we see Firefox+OS . Now when we try to remove this Firefox+OS from URL and try to put our Words as i put bug is here in the URL the the site look like this => https://bugzilla.mozilla.org/enter_bug.cgi#h=dupes|bug+is+here Now when i put this address in the URL and press enter the page look like that the words which i put in the url " bug is here " shown on the page too as the image show that => http://prntscr.com/340brg SO i think this is the bug called HTML INJECTION and so excited to be listed in the HOF of Mozilla
dveditz reproduced this and we've decied explicitly not to make this a hidden bug as we don't think it's a security issue as this is just text This only happens with the guided workflow instance of a new users not using persona
"not" using persona? One of my persona-logged-in accounts was able to reproduce. Couldn't figure out how to turn on the guided new-bug flow for my main account (is it tied to canconfirm or editbugs?) but that's the default flow for most accounts. Any html appears to be correctly escaped, but the product name can be arbitrary text. Could someone come up with something usefully spoofy to say there? Something embarrassing?
Component: Bugzilla Tweaks → Extensions: GuidedBugEntry
Flags: sec-bounty-
Summary: html injection in guided workflow → arbitrary product name (text) injection in guided workflow
(In reply to Curtis Koenig [:curtisk] from comment #1) > This only happens with the guided workflow instance of a new users not using > persona this is not correct -- the guided bug entry form is used by default for any user that does not have canconfirm rights. there's no functional difference between "persona" and password backed accounts.
Severity: normal → trivial
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git f8a258d..b9793ff 4.2 -> 4.2 - redirects you back to the start if we get passed an invalid product name.
Assignee: nobody → glob
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Component: Extensions: GuidedBugEntry → Extensions
You need to log in before you can comment on or make changes to this bug.