Closed
Bug 1356019
Opened 8 years ago
Closed 8 years ago
Stored XSS on upload attachement in https://bugzilla.mozilla.org
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
People
(Reporter: testbr09, Unassigned)
References
()
Details
(Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
(deleted),
image/svg+xml
|
Details |
Hi team,
I noticed a stored XSS being possible using an SVG file loading as an attachment to a report at https://bugzilla.mozilla.org
POC
1 access this report https://bugzilla.mozilla.org/show_bug.cgi?id=1112613 > find 'attachment 8857673 [details]' > click on name > click on image> xss triggered
Flags: sec-bounty?
Comment 2•8 years ago
|
||
Tester: Thanks for your report, but this behavior is by design and desirable. You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain (Example: https://bug1356019.bmoattachments.org/...).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Right. But despite the no-change, XSS is possible for any member who has access to, for example, this report. It only takes a low interaction to execute. Is this actually considered by design?
Comment 4•8 years ago
|
||
Tester: Yes, for BMO, the expectation is that a user can upload HTML content (including script tags) and upon visiting that content that it would be interpreted by the browser, but the execution origin/domain will be something like bug1356019.bmoattachments.org rather than bugzilla.mozilla.org. This is a pretty heavily discussed topic with multiple reports, most of which are dup'd against bug 38862. Let me know if you have additional perspective here that hasn't already been covered in the linked bug or it's dup'd dependents.
Updated•8 years ago
|
Resolution: WONTFIX → DUPLICATE
Updated•8 years ago
|
Group: websites-security
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•