If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Stored XSS on upload attachement in https://bugzilla.mozilla.org

RESOLVED DUPLICATE of bug 38862

Status

Websites
Other
RESOLVED DUPLICATE of bug 38862
5 months ago
5 months ago

People

(Reporter: Tester, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

Attachments

(1 attachment)

74 bytes, image/svg+xml
Details
(Reporter)

Description

5 months ago
Hi team,

I noticed a stored XSS being possible using an SVG file loading as an attachment to a report at https://bugzilla.mozilla.org

POC

1 access this report https://bugzilla.mozilla.org/show_bug.cgi?id=1112613 > find 'attachment 8857673 [details]' > click on name > click on image> xss triggered
Flags: sec-bounty?
(Reporter)

Comment 1

5 months ago
Created attachment 8857675 [details]
poc.svg

This is also possible by accessing this attachment
Tester: Thanks for your report, but this behavior is by design and desirable.  You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain (Example: https://bug1356019.bmoattachments.org/...).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → WONTFIX
(Reporter)

Comment 3

5 months ago
Right. But despite the no-change, XSS is possible for any member who has access to, for example, this report. It only takes a low interaction to execute. Is this actually considered by design?
Tester: Yes, for BMO, the expectation is that a user can upload HTML content (including script tags) and upon visiting that content that it would be interpreted by the browser, but the execution origin/domain will be something like bug1356019.bmoattachments.org rather than bugzilla.mozilla.org.  This is a pretty heavily discussed topic with multiple reports, most of which are dup'd against bug 38862.  Let me know if you have additional perspective here that hasn't already been covered in the linked bug or it's dup'd dependents.
Resolution: WONTFIX → DUPLICATE
Duplicate of bug: 38862
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.