Need some more information about the #272620 bug

David Miller justdave at
Fri Jan 7 17:22:47 UTC 2005

Alexis Sukrieh wrote:

> I've already try to exploit our Bugzilla version with submiting values
> such as '<script>alert(1)</script>' in many forms and, hopefully,
> everytime, Bugzilla said that the variable is not valid.

The bug is not exploitable unless you're using Internet Explorer or 
Konqueror as the browser (maybe others, but those are the only two we 
tested that we could duplicate it in).  If you're using most other 
browsers, the browser will prevent the unescaped URL from being used.

> We actually provide the 2.16.7 release.

I notice Debian Stable still lists version 2.14.2.  A quick examination 
shows the content of the package is actually version 2.14.5, and the 
version number wasn't bumped (all of the patches from the 2.14 branch 
since 2.14.2 were applied by the diff.gz file as "backported patches" 
except those were the only changes between those versions anyway).

Version 2.14.x is NOT vulnerable to this particular issue.  The 
javascript in question was added somewhere during the 2.15 development 
cycle.  However, there have been several security issues since then that 
have not been fixed in the 2.14 branch (because upstream support for it 
was dropped two years ago), nor do I see patches for them included in 
the existing Debian package, so the package in Woody shouldn't be 
considered safe.

Dave Miller                         
System Administrator, Mozilla Foundation
Project Leader, Bugzilla Bug Tracking System

More information about the developers mailing list