Closed Bug 1135069 Opened 6 years ago Closed 6 years ago

bugzilla.mozzila.org is vulnerable to xss vulenrability.

Categories

(bugzilla.mozilla.org :: General, defect)

Development
x86
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 38862

People

(Reporter: alfredgotu, Unassigned)

Details

Attachments

(1 file)

Attached image poc.jpg
Hello,

-Description:

My name is Hamza Bettache and i'm a web apps security researcher,today i've found an xss vulnerability on bugzilla.mozilla.org ,i'll demonstrate it on landfill.bugzilla.org

wich is the bugzilla test server.


the vulnerability happens when we inject our payload in a html file as an attachement file  and while adding it we change its form to Html Source (text/html)

-Steps to reproduce the vulnerability:

1-go to https://landfill.bugzilla.org/bugzilla-tip/enter_bug.cgi and fill in a new bug in our exemple i've filled a bug here :

 https://landfill.bugzilla.org/bugzilla-tip/show_bug.cgi?id=26526, and go down click on 'Add an attachment' we select our html file wich contains the folowing payload:

 <script>alert("xss found by Hamza Bettache");</script>
  
  "><svg/onload=prompt(document.domain)>

 we fill in the file 'Description' because it's required and change the file from to Html Source(text/html) and then we click on submit 

 we get an attached file : 

 https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=3982

 wich can be executed on a logged-in and logged-out users.

here's a POC (proof of concept) :

https://www.youtube.com/watch?v=gkZ9bXgr8LE&feature=youtu.be 


in the end of report i want to apologize because i've already tested the bug on bugzilla.mozilla.org before testing it on landfill.bugzilla.org because i didn't know that 

there's a testing server,here's a POC (link) :


https://bugzilla.mozilla.org/attachment.cgi?id=8567066


the attached file is a screen capture after executing the bug on the both domains.


i hope you'll fix it as soon as possible.


regards...

Hamza.
Group: bugzilla-security
Component: Attachments & Requests → General
Product: Bugzilla → bugzilla.mozilla.org
Version: unspecified → Development/Staging
Quoting from another bug:

As bugzilla.mozilla.org is used to track browser development, it would be high detrimental to productivity if we always rendered attachments as text/plain.

Instead we serve attachments from a different subdomain; they don't have access to bugzilla's cookies.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
it's not only about cookies it can be used a an open redirector
open redirector isn't a valid bug here ?
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Please don't reopen. XSS includes cooked, redirecting and anything else you can do with javascript. This bug is the same as bug 1094540, which was also duped to the other bug.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
You need to log in before you can comment on or make changes to this bug.