Received: by 10.66.41.17 with HTTP; Thu, 30 May 2013 06:29:56 -0700 (PDT) Date: Thu, 30 May 2013 18:59:56 +0530 Subject: Stored XSS in bugzilla From: Siddhesh Gawde <coolsiddheshgawade@gmail.com> To: Mozilla Security <security@mozilla.org> -----//----- Hello , I have found an Stored xss on bugzilla subdomain. Poc: Make an account-->File a bug-->Upload an HTML file containing the following vector <script>alert(document.domain)</script> <script>alert(1)</script> And submit the bug. When any person will click on the attachment to check the poc or pic ,XSS will occur. Eg: http://attach.landfill.bugzilla.org/bugzilla-4.4-branch/attachment.cgi?id=2831

Also the above link works even if you are not signed into your account ,it dosent show account error of authentication. So this can be used to spread malicious files also like .exe .php etc.

please search for duplicates before filing bugs, this has been reported many times.

<sigh> This is a dupe. Perhaps we should put a document up explaining our position on this? It seems like this gets "discovered" about every 2 weeks... Gerv