Why did we use this phrase?
Gervase Markham
gerv at mozilla.org
Thu Jan 9 09:30:38 UTC 2003
From LWN's "security updates" list:
"A cross site scripting vulnerability has been reported for Bugzilla, a
web-based bug tracking system. Bugzilla does not properly sanitize any
input submitted by users. As a result, it is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user, in the context of the
website running Bugzilla. This issue may be exploited to steal
cookie-based authentication credentials from legitimate users of the
website running the vulnerable software."
Or, for the people who only read the first two sentences:
"A cross site scripting vulnerability has been reported for Bugzilla, a
web-based bug tracking system. Bugzilla does not properly sanitize any
input submitted by users. ..."
Why did we use that second sentence in our advisory? Taken at its
obvious meaning, it's totally untrue, and it makes us look like clueless
idiots who don't know the first thing about web app security.
A better sentence might have been "Up until two years ago, Bugzilla did
not properly sanitize quips submitted by users."
Gerv
More information about the developers
mailing list