LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

bugzilla - cross site scripting

bugzilla - cross site scripting

Posted Jan 9, 2003 9:44 UTC (Thu) by gerv (subscriber, #3376)
Parent article: bugzilla - cross site scripting

Debian rewrote the original Bugzilla advisory so it is now seriously misleading. The sentence "Bugzilla does not properly sanitize any input submitted by users." is absolutely not correct. Bugzilla takes great care to sanitise user input. A better sentence might be:

"For a period up to two years ago, Bugzilla did not properly sanitize quips submitted by users."

At the time, this was a feature, not a bug, but the use of HTML in quips had to be restricted due to abuse. However, we didn't write code to clean up any quips already in the database. So, if you get hit with a cross-site scripting attack, then the malicious party must have added it to your Bugzilla two years ago.

The chance of this vulnerability actually affecting anyone is miniscule.

Gerv
(Bugzilla developer)

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds