Closed
Bug 1251731
Opened 8 years ago
Closed 8 years ago
XSS vulnerability through malicious attachment names
Categories
(bugzilla.mozilla.org :: Splinter, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: dkl)
Details
(Keywords: sec-critical, wsec-xss)
Attachments
(1 file, 1 obsolete file)
9.62 KB,
patch
|
dylan
:
review+
|
Details | Diff | Splinter Review |
Steps to reproduce: 1. Create a draft review under https://bugzilla-dev.allizom.org/page.cgi?id=splinter.html&bug=1154241&attachment=8591766 2. Go to https://bugzilla-dev.allizom.org/page.cgi?id=splinter.html You will see an alert message saying "xss". The issue is caused by this line: https://github.com/mozilla/webtools-bmo-bugzilla/blob/1f1f0d3276bef3844e8d381ba8277585c671466e/extensions/Splinter/web/splinter.js#L2531 It will assign the name of the attachment to innerHTML without any escaping.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8724273 -
Flags: review?(dylan)
Comment 2•8 years ago
|
||
Comment on attachment 8724273 [details] [diff] [review] 1251731_1.patch Review of attachment 8724273 [details] [diff] [review]: ----------------------------------------------------------------- r=dylan fixes xss, doesn't seem to break splinter horribly.
Attachment #8724273 -
Flags: review?(dylan) → review+
Comment 3•8 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 110b14a..be2d5f9 master -> master
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment 4•8 years ago
|
||
Testing this bug on prod
Comment 5•8 years ago
|
||
The content of attachment 8724698 [details] has been deleted for the following reason:
just needed to test this bug itself.
Updated•8 years ago
|
Group: bugzilla-security
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical,
wsec-xss
You need to log in
before you can comment on or make changes to this bug.
Description
•