Closed Bug 1595827 Opened 5 years ago Closed 5 years ago

Stored XSS due to crafted SVG file

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 38862

People

(Reporter: justdave, Unassigned)

References

Details

+++ This bug was initially created as a clone of Bug #1595640 +++

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

Steps to reproduce:

Stored XSS using an SVG file

Login Bugzilla:-
1Go to bug..
2)Go to Show Attached Iamges.
https://bugzilla.mozilla.org/attachment.cgi?id=9107901&action=edit

3)Click on View with svg image id 9107901

Second XSS:-
Replace the edit parameter with t=F6qKq3qWf3AeaxvCfBxjMJ

https://bugzilla.mozilla.org/attachment.cgi?id=9107901&action=edit

https://bugzilla.mozilla.org/attachment.cgi?id=9107901&t=F6qKq3qWf3AeaxvCfBxjMJ

Actual results:

The file should be open without executing a script.

Expected results:

Successfully Executed Store XSS with SVG file.

The attachments for the POC are on the original bug.

Version: Staging → Production

cookies are marked as http-only, and also bmoattachments.org is a different domain. Indeed, it is in the public suffix list so it is even more isolated. There is a long history of this bug, and the current measures are considered sufficient. This bug tracker is largely used for the development of a web browser, and the ability to upload HTML attachments is considered useful.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.