Closed
Bug 38852
Opened 25 years ago
Closed 23 years ago
[meta] untrusted content being sent or echoed to bugzilla users
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: jruderman, Assigned: tara)
References
()
Details
(Keywords: meta, Whiteboard: security)
this will be the meta bug for security issues that arise from bugzilla allowing
untrusted content to come from bugzilla.mozilla.org. see
http://www.cert.org/advisories/CA-2000-02.html for information on the general
problem.
incidentally, slashdot reported today that there is a worm floating around that
exploits this problem on web-based e-mail sites that show .html attachments as
text/html. http://slashdot.org/article.pl?sid=00/05/10/1541244&mode=thread
|
Reporter | |
Comment 1•25 years ago
|
||
adding some dependencies
|
||
Comment 2•25 years ago
|
||
What about http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan ? Is
this the same as bug #26257?
|
|
Reporter | |
Comment 3•24 years ago
|
||
|
||
Comment 4•24 years ago
|
||
Bumping severity up to critical.
tara, please fix this bug (including all dependant bugs) ASAP. This bug is an
ideal way to exploit Mozilla's security holes.
Severity: normal → critical
|
|
||
Comment 7•24 years ago
|
||
cyeh: ??
|
||
Updated•24 years ago
|
Summary: [meta] bugzila security: issues with untrusted content → [meta] bugzilla security: issues with untrusted content
Whiteboard: security
|
|
Reporter | |
Updated•24 years ago
|
No longer depends on: 21253
Summary: [meta] bugzilla security: issues with untrusted content → [meta] untrusted content being sent or echoed to bugzilla users
|
|
||
Comment 9•24 years ago
|
||
Jesse, I just readded bug #21253 because I thought it was accidentally removed
due to the midair dependency bug, but someone pointed out that this might not be
the case ... if so just remove it again. It's probably good practice to add a
comment if you remove a dep someone else added.
|
||
Comment 10•23 years ago
|
||
every remaining bug being tracked here is targetted at 2.14, so this should, too.
Target Milestone: --- → Bugzilla 2.14
|
|
Reporter | |
Comment 11•23 years ago
|
||
Note that some of these bugs might allow an attacker to view
Netscape-confidential bugs. See my comments in bug 66091.
|
||
Comment 12•23 years ago
|
||
Should this also depend on bug#95235 ?
|
|
||
Comment 13•23 years ago
|
||
since all dependencies are resolved, the tracking bug is resolved.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•