Closed Bug 1094540 Opened 10 years ago Closed 10 years ago

stored cross site scripting in bugzilla

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 38862

People

(Reporter: nigawtester, Unassigned)

Details

Attachments

(2 files)

xss_PAYLOAD_HTML.html
(deleted), text/html
Details
xss_PAYLOAD_XML_redirect_yahoo.xml
(deleted), text/xml
Details
Attached file xss_PAYLOAD_HTML.html (deleted) —
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141013195847 Steps to reproduce: It is possible to open a new bug on bugzilla and add attachments html and xml with malicious javascript code in it. I don't know if this issue has been already reported. Actual results: You can redirect the user which opens the attachment to a different site, probably steal his session cookie as well [not tested]. Expected results: malicious files should be showed as plain text no matter what no? :)
Attached file xss_PAYLOAD_XML_redirect_yahoo.xml (deleted) —
this file will redirect the user to yahoo.com
Assignee: rginda → attach-and-request
Group: core-security → bugzilla-security
Component: ChatZilla → Attachments & Requests
Product: Other Applications → Bugzilla
QA Contact: default-qa
as bugzilla.mozilla.org is used to track browser development, it would be high detrimental to productivity if we always rendered attachments as text/plain. instead we serve attachments from a different subdomain; they don't have access to bugzilla's cookies.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: