User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 Steps to reproduce: i Can See attachment of Reporters In Bugzilla Website Actual results: First I Try To Uploaded [ https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 ] If Attacker Change https://bug1263708.bmoattachments.org/attachment.cgi?id=8740111 Can Got POC Result
Almost all data in bugzilla.mozilla.org is public. There is a facility for creating private attachments and private bugs (such as this security report, initially) but the one you link to is not one of those: bug 1263708 and all its attachments are public because they're just a normal bug and patch. If you want to test bugzilla please use one of the test instances on https://landfill.bugzilla.org -- if you continue to create junk bugs here your account will likely be disabled.
That's not what I mean , This Is [ https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 ] XSS payload Can Steel Team Cookies http://bmoattachments.org/ [ bugzilla ]
(In reply to Daniel Veditz [:dveditz] from comment #1) > Almost all data in bugzilla.mozilla.org is public. There is a facility for > creating private attachments and private bugs (such as this security report, > initially) but the one you link to is not one of those: bug 1263708 and all > its attachments are public because they're just a normal bug and patch. > > If you want to test bugzilla please use one of the test instances on > https://landfill.bugzilla.org -- if you continue to create junk bugs here > your account will likely be disabled. That's not what I mean , Please Re-Check This bug I Can Upload HTML + JS With Cross Site Scripting Payload This Payload When Exploit For Users Can Steal Cookies This Domain https://bug1263710.bmoattachments.org Is Affected In BugZilla Thanks
The way bugzilla.mozilla.org is set up, you should not be able to steal any cookies from bugzilla itself (that's why the attachments are on a different hostname). Each bug actually gets its own attachment hostname, so you should not be able to steal any cookies except those set by JS in other attachments on the same bug. Please doublecheck if this is actually what you're reproducing.
@secfathy: If you think there is a security issue, please provide a clear, numbered list of steps to reproduce, step by step, so anyone else could follow your steps without having to think or to interpret what you meant. Thanks!
Hello , When Researcher Write New Report , Can Attachment [ HTML , SVG ] More Types But i Can Attachment HTML + JS Tag Lead To Cross site Scripting Bug Like That : https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 I Think This URl : https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 | If You Change Last Number of Report Can Access To See Attachment Like This : https://bug1263708.bmoattachments.org/attachment.cgi?id=8740111 But [ bmoattachments.org ] is Same of Bugzilla Website And Affected On bugzilla Any Cookies Steal From Mozilla Team Can Steal Him Accounts .. Thanks
What have you actually succeeded in doing? I see a lot of "I think you can" without any explaining what you've actually done. There are measured on place to prevent what you're saying you think can be done, so unless you can show us some proof that those measures are not working, we've got nothing to go on here.
Also, I do not mean any disrespect and don't want to be rude, but it's obvious that English is not your first language, and the language barrier because of your incomplete English may be causing a communication failure in us trying to understand what you're reporting (a lot of what you've written just does not make sense to me from a language perspective, nevermind the technical part). It may be helpful for you to write your report in your native language rather than in English, and we will find someone to translate it for us.