information Disclosure About Reporters Uploads From CDN

RESOLVED INVALID

Status

()

Bugzilla
Bugzilla-General
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: Secfathy, Unassigned)

Tracking

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce:

i Can See attachment of Reporters In Bugzilla Website 


Actual results:

First I Try To Uploaded [ https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 ] 

If Attacker Change https://bug1263708.bmoattachments.org/attachment.cgi?id=8740111

Can Got POC Result
Almost all data in bugzilla.mozilla.org is public. There is a facility for creating private attachments and private bugs (such as this security report, initially) but the one you link to is not one of those: bug 1263708 and all its attachments are public because they're just a normal bug and patch.

If you want to test bugzilla please use one of the test instances on https://landfill.bugzilla.org -- if you continue to create junk bugs here your account will likely be disabled.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

2 years ago
That's not what I mean , 

This Is [ https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 ] XSS payload Can Steel Team Cookies 

http://bmoattachments.org/ [ bugzilla ]
(Reporter)

Comment 3

2 years ago
(In reply to Daniel Veditz [:dveditz] from comment #1)
> Almost all data in bugzilla.mozilla.org is public. There is a facility for
> creating private attachments and private bugs (such as this security report,
> initially) but the one you link to is not one of those: bug 1263708 and all
> its attachments are public because they're just a normal bug and patch.
> 
> If you want to test bugzilla please use one of the test instances on
> https://landfill.bugzilla.org -- if you continue to create junk bugs here
> your account will likely be disabled.

That's not what I mean , 

Please Re-Check This bug 

I Can Upload HTML + JS With Cross Site Scripting Payload 
This Payload When Exploit For Users Can Steal Cookies 
This Domain https://bug1263710.bmoattachments.org
Is Affected In BugZilla 

Thanks
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
The way bugzilla.mozilla.org is set up, you should not be able to steal any cookies from bugzilla itself (that's why the attachments are on a different hostname).  Each bug actually gets its own attachment hostname, so you should not be able to steal any cookies except those set by JS in other attachments on the same bug.  Please doublecheck if this is actually what you're reproducing.

Comment 5

2 years ago
@secfathy: If you think there is a security issue, please provide a clear, numbered list of steps to reproduce, step by step, so anyone else could follow your steps without having to think or to interpret what you meant. Thanks!
Flags: needinfo?(secfathy)
(Reporter)

Comment 6

2 years ago
Hello , 

When Researcher Write New Report , Can Attachment [ HTML , SVG ] More Types But i Can Attachment HTML + JS Tag Lead To Cross site Scripting Bug Like That :

https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119

I Think This URl : https://bug1263710.bmoattachments.org/attachment.cgi?id=8740119 | If You Change Last Number of Report Can Access To See Attachment Like This  :

https://bug1263708.bmoattachments.org/attachment.cgi?id=8740111

But [ bmoattachments.org ] is Same of Bugzilla Website And Affected On bugzilla 
Any Cookies Steal From Mozilla Team Can Steal Him Accounts ..

Thanks
Flags: needinfo?(secfathy)
What have you actually succeeded in doing? I see a lot of "I think you can" without any explaining what you've actually done. There are measured on place to prevent what you're saying you think can be done, so unless you can show us some proof that those measures are not working, we've got nothing to go on here.
Flags: needinfo?(secfathy)
Also, I do not mean any disrespect and don't want to be rude, but it's obvious that English is not your first language, and the language barrier because of your incomplete English may be causing a communication failure in us trying to understand what you're reporting (a lot of what you've written just does not make sense to me from a language perspective, nevermind the technical part).  It may be helpful for you to write your report in your native language rather than in English, and we will find someone to translate it for us.
(Reporter)

Updated

2 years ago
Flags: needinfo?(secfathy)
(Reporter)

Updated

2 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.