User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 Build ID: 20120306064154 Steps to reproduce: Hello again. Actual results: I found interesting thing in Attachment ID. http://bug17583.1zxl51jv7q3c.demo.bugzilla.org/attachment.cgi?id=2344 Yes, i create html file and allow option delete Attachment + add xss code in Description. Video: http://www.youtube.com/watch?v=Xqez9C2bqyE If it's a new bug (not a duplicate), say me and i need some times for understand how this happened. I try and try made with attachment and..yes, it's work) but need some time for analysis. sorry my poor english. Expected results: What you want.. + we can upload files in format (exe,msi or what you want, but it's little problem or not a problem).

I'm sorry, but I don't understand... I'm looking at https://1zxl51jv7q3c.demo.bugzilla.org/attachment.cgi?id=2344&action=delete, and I don't see any XSS. If I click the attachment ID, I get the raw attachment, yes... Where exactly is the XSS besides the attachment itself (which is served from another domain, so same-origin policy prevents stealing of cookies...

Yes. Now i understand) Funny. But..it's maybe dangerous for users. And about domain, http://i49.tinypic.com/2vcb195.jpg why other domain? We can see open (for all users, don't need login and password for see this) html attachments with xss code, we can put what we want, invisible xss code, code with download file with fake page, or other what you want, it's really dangerous. Yes, maybe some admins (if give link for him) who use bugzilla maybe say "wtf, it's xss or fake), but not all admins.

some fake demo. http://bug17586.1zxl51jv7q3c.demo.bugzilla.org/attachment.cgi?id=2350

And ..i search on all bugs on bugzilla.org and we can see : example: https://bugzilla.mozilla.org/attachment.cgi?id=563030 (.exe) It's maybe dangerous for users.(There are many situations where we can use it) We can see the file without using the username and password. If you can't prohibit file types like *.exe or *.html or others, because they are needed in bugzilla, perhaps you should restrict their download only to logged in users, so anonymous users can't see them. This could increase security.

There is a parameter to prevent attachments from being displayed in the browser and another one to serve attachments from a separate domain to prevent XSS. This is long and old story, see bug 38862.