Bugzilla – Full Text Bug Listing
| Summary: | Found xss on bugs.eclipse.org/bugs | ||
|---|---|---|---|
| Product: | Community | Reporter: | sid sol <thesiddharthsolanki> |
| Component: | Bugzilla | Assignee: | Eclipse Webmaster <webmaster> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | P3 | CC: | thatnitind, wayne.beaton |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Windows 7 | ||
| Whiteboard: | |||
|
Description
sid sol
Moving to Bugzilla component and marking as "committer-only" to avoid widespread dissemination until after we've resolved the issue. This was recently "fixed" my Mozilla last week. https://bugzilla.mozilla.org/show_bug.cgi?id=842038 But thanks to the Bugzilla's (IMO, absurd) policy of opening security bugs to the world the minute they have a patch, well, that leaves us vulnerable. (In reply to comment #2) > This was recently "fixed" my Mozilla last week. I don't know why you quoted "fixed". It's fixed. Period. > But thanks to the Bugzilla's (IMO, absurd) policy of opening security bugs > to the world the minute they have a patch, well, that leaves us vulnerable. I don't know how well you speak Perl, but it wouldn't take very long for a hacker to understand what the patch is about simply by reading it. Security by obscurity is a weak way to protect yourself. If you expected to stay "secure" simply by not disclosing the vulnerability, then you loose for sure. > Security
> by obscurity is a weak way to protect yourself. If you expected to stay
> "secure" simply by not disclosing the vulnerability, then you loose for sure.
But you've also disclosed the exploit. That is the point you can't seem to comprehend.
I have absolutely no desire to discuss this with you further. I've expressed my opinion clearly here and in the Mozilla bug, and I've offered what I consider to be constructive criticis
For everyone else, I will upgrade Bugzilla tomorrow.
Bugzilla is running 4.2.5 now. |