Why did we use this phrase?

Gervase Markham gerv at mozilla.org
Thu Jan 9 09:30:38 UTC 2003


 From LWN's "security updates" list:

"A cross site scripting vulnerability has been reported for Bugzilla, a 
web-based bug tracking system. Bugzilla does not properly sanitize any 
input submitted by users. As a result, it is possible for a remote 
attacker to create a malicious link containing script code which will be 
executed in the browser of a legitimate user, in the context of the 
website running Bugzilla. This issue may be exploited to steal 
cookie-based authentication credentials from legitimate users of the 
website running the vulnerable software."

Or, for the people who only read the first two sentences:

"A cross site scripting vulnerability has been reported for Bugzilla, a 
web-based bug tracking system. Bugzilla does not properly sanitize any 
input submitted by users. ..."

Why did we use that second sentence in our advisory? Taken at its 
obvious meaning, it's totally untrue, and it makes us look like clueless 
idiots who don't know the first thing about web app security.

A better sentence might have been "Up until two years ago, Bugzilla did 
not properly sanitize quips submitted by users."

Gerv




More information about the developers mailing list