Closed Bug 1595640 Opened 5 years ago Closed 5 years ago

Stored XSS due to crafted SVG file

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 38862

People

(Reporter: sunilmbhamare, Unassigned)

References

Details

Attachments

(6 files)

SVG_LOAD.JPG
(deleted), image/jpeg
Details
Click_domain.JPG
(deleted), image/jpeg
Details
svgxss.svg
(deleted), image/svg+xml
Details
svgxss_2.svg
(deleted), image/svg+xml
Details
svgxss_2.svg
(deleted), image/svg+xml
Details
svgxss_2.svg
(deleted), image/svg+xml
Details
Attached image SVG_LOAD.JPG (deleted) —

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

Steps to reproduce:

Stored XSS using an SVG file

Login Bugzilla:-
1Go to bug..
2)Go to Show Attached Iamges.
https://bugzilla.mozilla.org/attachment.cgi?id=9107901&action=edit

3)Click on View with svg image id 9107901

Second XSS:-
Replace the edit parameter with t=F6qKq3qWf3AeaxvCfBxjMJ

https://bugzilla.mozilla.org/attachment.cgi?id=9107901&action=edit

https://bugzilla.mozilla.org/attachment.cgi?id=9107901&t=F6qKq3qWf3AeaxvCfBxjMJ

Actual results:

The file should be open without executing a script.

Expected results:

Successfully Executed Store XSS with SVG file.

Attached image Click_domain.JPG (deleted) —
Attached image svgxss.svg (deleted) —
Attached image svgxss_2.svg (deleted) —
Attached image svgxss_2.svg (deleted) —
Attached image svgxss_2.svg (deleted) —
Blocks: 1595827

Thanks for your report, but this behavior is by design and desirable. You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: