Need some more information about the #272620 bug
David Miller
justdave at bugzilla.org
Fri Jan 7 17:22:47 UTC 2005
Alexis Sukrieh wrote:
> I've already try to exploit our Bugzilla version with submiting values
> such as '<script>alert(1)</script>' in many forms and, hopefully,
> everytime, Bugzilla said that the variable is not valid.
The bug is not exploitable unless you're using Internet Explorer or
Konqueror as the browser (maybe others, but those are the only two we
tested that we could duplicate it in). If you're using most other
browsers, the browser will prevent the unescaped URL from being used.
> We actually provide the 2.16.7 release.
I notice Debian Stable still lists version 2.14.2. A quick examination
shows the content of the package is actually version 2.14.5, and the
version number wasn't bumped (all of the patches from the 2.14 branch
since 2.14.2 were applied by the diff.gz file as "backported patches"
except those were the only changes between those versions anyway).
Version 2.14.x is NOT vulnerable to this particular issue. The
javascript in question was added somewhere during the 2.15 development
cycle. However, there have been several security issues since then that
have not been fixed in the 2.14 branch (because upstream support for it
was dropped two years ago), nor do I see patches for them included in
the existing Debian package, so the package in Woody shouldn't be
considered safe.
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Foundation http://www.mozilla.org/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
More information about the developers
mailing list