Persistence Mail Encoding Vulnerability

RESOLVED INVALID

Status

Thunderbird
Security
--
critical
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: Milan, Unassigned)

Tracking

38 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [wfm])

Attachments

(4 attachments)

(Reporter)

Description

2 years ago
Created attachment 8729805 [details]
Persistence code injection bug Thunderbird 38.6.0.mp4

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

Persistence Mail Encoding Vulnerability :
========================================

Product  :  Thunderbird 38.6.0


1. Create a new message and attach the html 


code in html 


+49/>"<iframe src="http://vulnerability-lab.com">1337



2. Save or send it..

3. View the Message field the Script code injected with site load



Mitigation:
========

Properly filter the email encoding so no code injection possible.

Thanks,
Milan Solanki


Actual results:

Code injected


Expected results:


Properly filter the email encoding so no code injection possible.
(Reporter)

Comment 1

2 years ago
Any update on the bug ?


Other Causes and Impact Of the bug:
===================================
*. For more dangerious the attacker  attach site that vulnerable to xss attacks and when the site loads in message so the xss executed not on thunderbird but on the system browser(ie,firefox,chrome,safari ) ..that leads some further attacks like..

Phising, malicious file download leads to full compromise system...etc..

Hope you immediately fix the issue...

Thanks,
Milan Solanki
(Reporter)

Comment 2

2 years ago
Created attachment 8730563 [details]
xss new.html

Html file use in poc...
(Reporter)

Updated

2 years ago
Severity: normal → critical
Priority: -- → P1
I do not get the results of your movie at all. When I try to reproduce I get the yellow warning bar "To protect your privacy, Thunderbird has blocked remote content in this message" which is what ought to happen.

There is a "preferences" button on that bar where you can allow remote content for that one message, or change your preferences globally. The global settings can also be found through the "privacy" tab of your preferences -- what are your settings? If you've allowed remote content for a specific message that's stored in the message database and there's no easy way to revert it unfortunately.

Note this is NOT a "XSS attack" -- scripting is still disabled. There is no scripting, cross-site or otherwise. (unless you've changed those prefs, too)
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 4

2 years ago
Found another way to do it...
-----------------------------

Go to -- Tools --> Account settings -- > domain.net --> Signature text 

add this payload

+49/>"<iframe src="http://vulnerability-lab.com">1337

SAve it..


Compose new message and the payload code not encoded properly and made persistence mail encoding bug

POc attached
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
(Reporter)

Comment 5

2 years ago
Created attachment 8731063 [details]
thunderbird 1.png
(Reporter)

Comment 6

2 years ago
Created attachment 8731065 [details]
thunderbird 2.png
(Reporter)

Comment 7

2 years ago
The above 2 attachment of poc you can verify it...

Updated

2 years ago
Component: Message Compose Window → Security
Priority: P1 → --
(Reporter)

Updated

2 years ago
Priority: -- → P1

Comment 8

2 years ago
note, priority is only for developers to set.
Priority: P1 → --

Comment 9

2 years ago
WFM here too. 
Setting is in your signature really doesn't count. Yes that loads, but you put it your signature yourself, probably for legit reasons.
Whiteboard: [wfm]
(Reporter)

Comment 10

2 years ago
That's why it's harm when sending to another user

Comment 11

2 years ago
What harm are you talking about? If you explicitly put an iframe in your signature yes it will load - for you. For the recipient it will still be blocked by default.

Comment 12

2 years ago
I don't believe this is a bug
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.