AntiSpam extension uses the EditTable extension for its configuration. The latter doesn't use any CSRF tokens however so that anybody can trick Bugzilla admins into changing configuration. The actual attack would most likely work by luring Bugzilla admins on a page containing the following code: > <img src="https://bugzilla-dev.allizom.org/page.cgi?id=edit_table.html&table=antispam_domain_blocklist&table_data={%22data%22:[[%22-%22,%22%3C/script%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%22,%22%22]]}"> This particular link will add a new entry to the domain blocklist - invisibly, in the background. It could just as easily missed with block IP ranges or remove all table entries by sending a list like [[-1],[-2],[-3],...] to remove entries with ID 1, 2, 3 etc. What's even worse, this page is vulnerable to XSS, something that the URL above illustrates. The table data will be inserted as JSON into a script without further validation, if it contains something like "</script></script>alert(/xss/)</script>" that code will execute for anybody who opens the page later - persistent XSS vulnerability.

Taking this since it is my watch day.

No more inline json, and CSRF tokens.

Comment on attachment 8724962 [details] [diff] [review] 1252210_1.patch Review of attachment 8724962 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git e5b9aa6..085c24c master -> master