Closed Bug 1356019 Opened 4 years ago Closed 4 years ago

Stored XSS on upload attachement in https://bugzilla.mozilla.org

Categories

(Websites :: Other, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 38862

People

(Reporter: testbr09, Unassigned)

References

()

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

74 bytes, image/svg+xml
Details
Hi team,

I noticed a stored XSS being possible using an SVG file loading as an attachment to a report at https://bugzilla.mozilla.org

POC

1 access this report https://bugzilla.mozilla.org/show_bug.cgi?id=1112613 > find 'attachment 8857673 [details]' > click on name > click on image> xss triggered
Flags: sec-bounty?
Attached image poc.svg
This is also possible by accessing this attachment
Tester: Thanks for your report, but this behavior is by design and desirable.  You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain (Example: https://bug1356019.bmoattachments.org/...).
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
Right. But despite the no-change, XSS is possible for any member who has access to, for example, this report. It only takes a low interaction to execute. Is this actually considered by design?
Tester: Yes, for BMO, the expectation is that a user can upload HTML content (including script tags) and upon visiting that content that it would be interpreted by the browser, but the execution origin/domain will be something like bug1356019.bmoattachments.org rather than bugzilla.mozilla.org.  This is a pretty heavily discussed topic with multiple reports, most of which are dup'd against bug 38862.  Let me know if you have additional perspective here that hasn't already been covered in the linked bug or it's dup'd dependents.
Resolution: WONTFIX → DUPLICATE
Duplicate of bug: 38862
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.