Closed Bug 1668683 Opened 5 months ago Closed 5 months ago

[Security] Attachments svg

Categories

(bugzilla.mozilla.org :: General, enhancement)

Production
enhancement

Tracking

()

RESOLVED DUPLICATE of bug 38862

People

(Reporter: dr0vosec, Unassigned)

Details

Attachments

(1 file)

1.82 KB, image/svg+xml
Details
Attached image 2.svg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0

Steps to reproduce:

Hello all.

I doubted whether to write it or not. But many developers of different CMS (and etc) usually do not allow the use of svg files as attachments, because in the svg attacker can put javascript code. I decided to put it here. If I am wrong and it is absolutely safe, then I will be interested to know the opinion.

Actual results:

I did a test on the https://bugzilla-dev.allizom.org/show_bug.cgi?id=1629597 and found that I can upload a svg file and it is visible on a direct link. (Visible for all.. if you specify in the settings initially, that can be seen by everyone. But I didn't do it.)
https://bug1629597.bmoattachments.bugzilla-dev.allizom.org/attachment.cgi?id=9140559&t=DEjdkzhUlgltcKsObSMats

Picture:
https://imgur.com/a/O48krgm

Expected results:

This can be used as a typical stored xss. But..I didn’t test from an attacker's perspective.

It's work is here too. I use for test Mozilla Firefox browser and Windows 10.
https://bug1668683.bmoattachments.org/attachment.cgi?id=9179130&t=TAzhG63sQww6ccP1qTLbEX

Thanks for your report, but this behavior is by design and desirable. You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain

For more information read the duplicates of bug 38862.

Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
You need to log in before you can comment on or make changes to this bug.