Closed Bug 821106 Opened 12 years ago Closed 12 years ago

hijacking(xss vulnerability), domain and host privilege

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Development
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 38862

People

(Reporter: simonjohnathan, Unassigned)

Details

Attached file (deleted) —
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11 Steps to reproduce: *testing* Uploaded a malicious pdf file. Actual results: it ran Expected results: nothing
Poc: http://gyazo.com/e72d17021bbcf6e8b2772a60879bc737 click on the pdf attachment. Regards, Johnathan
attachments are hosted on a different domain from bugzilla.mozilla.org, which means you can't perform a XSS attack on bugzilla credentials. also see bug 411209.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Unhiding as the duplicate is unhidden
Group: bugzilla-security
re-hiding at request of reporter
Group: bugzilla-security
un-hiding again, user thought hiding made the bug go away, but is resolved
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.