Closed Bug 256348 Opened 17 years ago Closed 16 years ago

possible security problem with text/html pages that redirect to outside pages

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
2.17.6
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: joshua.neveln, Assigned: myk)

References

Details

Attachments

(1 file)

An html file with a redirect to an external website
112 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7b) Gecko/20040514
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7b) Gecko/20040514

When an attachment of MIME Type text/html is added to a bug, it is displayed
when attachment.cgi is called with edit or fiew options.  When that page
contains a redirect to a site outside of the bugzilla server, that page is
displayed instead.

This seems like it could be a security problem, but people with more knowledge
than me should determine that.  It seems like more of a problem when the page
redirected to is a cgi.  

An example of the type of file that is attached:

<html>
<head>
<meta http-equiv="refresh" content="0;URL=http://somesite.com/">
</head>
<body>
</body>
</html>

I'll try to add an attachment like this as well.

If this isn't a problem, please let me know, and I guess if it is a problem, let
me know sooner.
Thanks

Reproducible: Always
Steps to Reproduce:
1. add attachment as described above
2. edit attachment


Actual Results:  
was redirected to external page

Expected Results:  
The page was displayed.

Appears in both Mozilla and IE.  Found this problem in Bugzilla 2.17.6.  Seems
to still appear in 2.18rc2, but I have not had a chance to install that to
verify it.
Attaching an example file forward.html
next time, checkmark the security box for stuff like this... it mails a bunch of
extra people to get them hopping on it. :)

(not that this issue is exactly hopping, because it's a pain in the butt to fix
- see the bug I'm duping it to)

*** This bug has been marked as a duplicate of 38862 ***
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Hmm, I take that back, reading this a little closer, this isn't actually the
same issue (but sort of related anyway).

I really don't know if there's much we can do about this...  Jesse's probably
the guy to tell us what to do here.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Status: UNCONFIRMED → NEW
Ever confirmed: true
I don't think redirecting attachments are a problem.
What's the status of this bug? Still a security bug? Still open?

Maybe the reporter wondered if it was possible for the called website to access
bugzilla cookies or to launch some script/SQL request on behalf of some bugzilla
user.

I don't think this is either a bug or a security bug - I agree with Jesse.
Suggest WONTFIX.

Gerv
Marking the bug as WONTFIX per comments 5 and 7; but letting the security flag
for now. If you disagree, reopen the bug, else remove the security flag.
Severity: major → normal
Status: NEW → RESOLVED
Closed: 17 years ago16 years ago
OS: SunOS → All
Hardware: Sun → All
Resolution: --- → WONTFIX
Version: unspecified → 2.17.6
Group: webtools-security
Duplicate of this bug: 772058
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.