Closed Bug 1235570 Opened 8 years ago Closed 8 years ago

Stored Xss - Cross Site Scripting via xml script upload.

Categories

(Bugzilla :: Attachments & Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 38862

People

(Reporter: darkreflection, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151223140742

Steps to reproduce:

Hi Mozzila,

- I found an xss issue in your filezilla bug report system by uploading a .xml file. Here are vulnerability details. -

- Vulnerability Type: Xss - Cross Site Scripting (Stored) -

- Vulnerability Location: https://bugzilla.mozilla.org/attachment.cgi?id=8701536&action=edit (it will affect also unauthenticated users). -

-  As you can see by inserting the xss in a xml file, the xss is promped in file editor page while it doesn't happens uploading a .html document    -

- Uploaded Html document url : https://bugzilla.mozilla.org/attachment.cgi?id=8701537&action=edit as you can see here html code is show as text     -


Vulnerable inputs: bugzilla.mozzilla.org file preview -

Steps to reproduce the vulnerability -


1 - Register a new account or login to your bugzilla account. -

2 - Submit a new bug to bugzilla and attach the xml file      -

3 - Once bug report is sent just press on bug report it, Now go to attachments part and press on details to see attachments details -

4 - The xss will be triggered, this can also be exploited against bugzilla staffs or any other users. -

- I'll leave you the xml file i used to test this xss vulnerability in email attachments but i'll also post xml code here -


- Xml file Content -

---------------------------------------------------

<?xml version="1.0"?>
<foo>
<html xmlns:html='http://www.w3.org/1999/xhtml'>
<html:script>prompt('MindfreakS');</html:script>
</html>
</foo>

---------------------------------------------------



Impact : An attacker could exploit this by sending this xss to victims but it's also exploitable in another way. Imagine this attack scenario.

An attacker uploaded a .xml plugin on https://addons.mozilla.org/ domain and the plugin get installed but many people. Now imagine that the
attacker (plugin maker) decide to insert this xml code into his original plugin and set it as plugin update? In this way the attacker will be able
to xss every users that installed his plugin. Can this be considered a new xss vector or it was already knew? If yes it should be fixed in next firefox releases.

Let me know if this is eligible for your bug bounty program. Best Regards,

Roberto.


Actual results:

The xss is triggered from bug preview.


Expected results:

Xss shouldn't be loaded.
Assignee: nobody → attach-and-request
Group: client-services-security → bugzilla-security
Component: Add-on Security → Attachments & Requests
Product: addons.mozilla.org → Bugzilla
QA Contact: default-qa
The XML file is displayed from a separate host, so it cannot steal sensitive information from Bugzilla.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: