Closed
Bug 1135069
Opened 10 years ago
Closed 10 years ago
bugzilla.mozzila.org is vulnerable to xss vulenrability.
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
People
(Reporter: alfredgotu, Unassigned)
Details
Attachments
(1 file)
99.90 KB,
image/jpeg
|
Details |
Hello,
-Description:
My name is Hamza Bettache and i'm a web apps security researcher,today i've found an xss vulnerability on bugzilla.mozilla.org ,i'll demonstrate it on landfill.bugzilla.org
wich is the bugzilla test server.
the vulnerability happens when we inject our payload in a html file as an attachement file and while adding it we change its form to Html Source (text/html)
-Steps to reproduce the vulnerability:
1-go to https://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi and fill in a new bug in our exemple i've filled a bug here :
https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=26526, and go down click on 'Add an attachment' we select our html file wich contains the folowing payload:
<script>alert("xss found by Hamza Bettache");</script>
"><svg/onload=prompt(document.domain)>
we fill in the file 'Description' because it's required and change the file from to Html Source(text/html) and then we click on submit
we get an attached file :
https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=3982
wich can be executed on a logged-in and logged-out users.
here's a POC (proof of concept) :
https://www.youtube.com/watch?v=gkZ9bXgr8LE&feature=youtu.be
in the end of report i want to apologize because i've already tested the bug on bugzilla.mozilla.org before testing it on landfill.bugzilla.org because i didn't know that
there's a testing server,here's a POC (link) :
https://bugzilla.mozilla.org/attachment.cgi?id=8567066
the attached file is a screen capture after executing the bug on the both domains.
i hope you'll fix it as soon as possible.
regards...
Hamza.
Reporter | ||
Updated•10 years ago
|
Group: bugzilla-security
Component: Attachments & Requests → General
Product: Bugzilla → bugzilla.mozilla.org
Version: unspecified → Development/Staging
Comment 1•10 years ago
|
||
Quoting from another bug:
As bugzilla.mozilla.org is used to track browser development, it would be high detrimental to productivity if we always rendered attachments as text/plain.
Instead we serve attachments from a different subdomain; they don't have access to bugzilla's cookies.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•10 years ago
|
||
it's not only about cookies it can be used a an open redirector
Reporter | ||
Comment 3•10 years ago
|
||
open redirector isn't a valid bug here ?
Reporter | ||
Comment 4•10 years ago
|
||
check the following link :
https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=3984
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Comment 5•10 years ago
|
||
Please don't reopen. XSS includes cooked, redirecting and anything else you can do with javascript. This bug is the same as bug 1094540, which was also duped to the other bug.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → DUPLICATE
Comment hidden (off-topic) |
You need to log in
before you can comment on or make changes to this bug.
Description
•