User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Build Identifier: If bugzilla.mozilla.org runs into in internal error it dumps out a notice to send the requested url to an admin. This is done using a line of javascript: document.write("<p>URL: " + document.location + "</p>") Since Internet Explorer and some other browsers do not force proper URL encoding you can easily force an error and inject arbitrary javascript code: https://bugzilla.mozilla.org/attachment.cgi? id=&action=force_internal_error<script>alert(document.cookie)</script> Bugzilla does not understand the action parameter, raises an internal error and this leads to an XSS. This can be used to steal the session cookie or fake content on the website. Mozilla/Firefox users seem to be not vulnerable since the browser automaticly converts < into %3C before sending the request. Reproducible: Always Steps to Reproduce: Just open the link in Internet Explorer or create a page like this: <script language="javascript" type="text/javascript"> location = 'https://bugzilla.mozilla.org/attachment.cgi? id=&action=force_internal_error<script>alert(document.cookie)<\/script>' </script> -- This is CAN-2004-1061
web-apps please verify and advise.
I can confirm : shitty browsers are vulnerable to this. reproduced on www-apps/bugzilla-2.18.0_rc2 web-apps: Please bump Bugzilla with the following patch.
Created attachment 48180 [details, diff] CAN-2004-1061.diff Patch from Bugzilla bug
I'm out of town, and can't pick this up until the weekend at the earliest, sorry. If anyone else wants to pick this up before then, be my guest. Best regards, Stu
Stuart: the weekend will be fine :)
Committed to Portage. Best regards, Stu
Thx Stuart. ppc please test and mark bugzilla-2.18.0_rc4 stable.
GLSA vote : I wouldn't issue an advisory about it since you have to still use Internet Explorer to be vulnerable. so NO
a) most people use Internet Explorer b) a vulnerable version was stable on at least one arch (ppc) c) if we fix a security hole, we should put out an advisory. No exceptions ;-) Best regards, Stu
Stuart we release according to our Vulnerability Policy http://www.gentoo.org/security/en/vulnerability-policy.xml For vulnerabilities rated B4 a vote is normally called on wether to issue a GLSA.
btw now ppc is safe
Security, please vote
I tend to vote for no GLSA on this one. Security please cast your vote.
i agree with jaervosz
And I agree with SeJo. Stupid bugs requiring stupid browsers and a stupid user should not be worth a GLSA.