[Security] Attachments svg
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
People
(Reporter: dr0vosec, Unassigned)
Details
Attachments
(1 file)
|
1.82 KB,
image/svg+xml
|
Details |
2.svg
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Steps to reproduce:
Hello all.
I doubted whether to write it or not. But many developers of different CMS (and etc) usually do not allow the use of svg files as attachments, because in the svg attacker can put javascript code. I decided to put it here. If I am wrong and it is absolutely safe, then I will be interested to know the opinion.
Actual results:
I did a test on the https://bugzilla-dev.allizom.org/show_bug.cgi?id=1629597 and found that I can upload a svg file and it is visible on a direct link. (Visible for all.. if you specify in the settings initially, that can be seen by everyone. But I didn't do it.)
https://bug1629597.bmoattachments.bugzilla-dev.allizom.org/attachment.cgi?id=9140559&t=DEjdkzhUlgltcKsObSMats
Picture:
https://imgur.com/a/O48krgm
Expected results:
This can be used as a typical stored xss. But..I didn’t test from an attacker's perspective.
It's work is here too. I use for test Mozilla Firefox browser and Windows 10.
https://bug1668683.bmoattachments.org/attachment.cgi?id=9179130&t=TAzhG63sQww6ccP1qTLbEX
Thanks for your report, but this behavior is by design and desirable. You'll note that the attachment domain used for attachments is variable to prevent abuse of the bugzilla.mozilla.org domain
For more information read the duplicates of bug 38862.
Description
•