bugzilla.mozzila.org is vulnerable to xss vulenrability.

RESOLVED DUPLICATE of bug 38862

Status

()

bugzilla.mozilla.org
General
RESOLVED DUPLICATE of bug 38862
3 years ago
3 years ago

People

(Reporter: Hamza Bettache, Unassigned)

Tracking

Development/Staging
x86
Windows 7

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8567106 [details]
poc.jpg

Hello,

-Description:

My name is Hamza Bettache and i'm a web apps security researcher,today i've found an xss vulnerability on bugzilla.mozilla.org ,i'll demonstrate it on landfill.bugzilla.org

wich is the bugzilla test server.


the vulnerability happens when we inject our payload in a html file as an attachement file  and while adding it we change its form to Html Source (text/html)

-Steps to reproduce the vulnerability:

1-go to https://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi and fill in a new bug in our exemple i've filled a bug here :

 https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=26526, and go down click on 'Add an attachment' we select our html file wich contains the folowing payload:

 <script>alert("xss found by Hamza Bettache");</script>
  
  "><svg/onload=prompt(document.domain)>

 we fill in the file 'Description' because it's required and change the file from to Html Source(text/html) and then we click on submit 

 we get an attached file : 

 https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=3982

 wich can be executed on a logged-in and logged-out users.

here's a POC (proof of concept) :

https://www.youtube.com/watch?v=gkZ9bXgr8LE&feature=youtu.be 


in the end of report i want to apologize because i've already tested the bug on bugzilla.mozilla.org before testing it on landfill.bugzilla.org because i didn't know that 

there's a testing server,here's a POC (link) :


https://bugzilla.mozilla.org/attachment.cgi?id=8567066


the attached file is a screen capture after executing the bug on the both domains.


i hope you'll fix it as soon as possible.


regards...

Hamza.
(Reporter)

Updated

3 years ago
Group: bugzilla-security
Component: Attachments & Requests → General
Product: Bugzilla → bugzilla.mozilla.org
Version: unspecified → Development/Staging

Comment 1

3 years ago
Quoting from another bug:

As bugzilla.mozilla.org is used to track browser development, it would be high detrimental to productivity if we always rendered attachments as text/plain.

Instead we serve attachments from a different subdomain; they don't have access to bugzilla's cookies.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
(Reporter)

Comment 2

3 years ago
it's not only about cookies it can be used a an open redirector
(Reporter)

Comment 3

3 years ago
open redirector isn't a valid bug here ?
(Reporter)

Updated

3 years ago
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---

Comment 5

3 years ago
Please don't reopen. XSS includes cooked, redirecting and anything else you can do with javascript. This bug is the same as bug 1094540, which was also duped to the other bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
You need to log in before you can comment on or make changes to this bug.