Closed Bug 256348 Opened 17 years ago Closed 16 years ago
possible security problem with text/html pages that redirect to outside pages
112 bytes, text/html
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7b) Gecko/20040514 Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7b) Gecko/20040514 When an attachment of MIME Type text/html is added to a bug, it is displayed when attachment.cgi is called with edit or fiew options. When that page contains a redirect to a site outside of the bugzilla server, that page is displayed instead. This seems like it could be a security problem, but people with more knowledge than me should determine that. It seems like more of a problem when the page redirected to is a cgi. An example of the type of file that is attached: <html> <head> <meta http-equiv="refresh" content="0;URL=http://somesite.com/"> </head> <body> </body> </html> I'll try to add an attachment like this as well. If this isn't a problem, please let me know, and I guess if it is a problem, let me know sooner. Thanks Reproducible: Always Steps to Reproduce: 1. add attachment as described above 2. edit attachment Actual Results: was redirected to external page Expected Results: The page was displayed. Appears in both Mozilla and IE. Found this problem in Bugzilla 2.17.6. Seems to still appear in 2.18rc2, but I have not had a chance to install that to verify it.
Attaching an example file forward.html
next time, checkmark the security box for stuff like this... it mails a bunch of extra people to get them hopping on it. :) (not that this issue is exactly hopping, because it's a pain in the butt to fix - see the bug I'm duping it to) *** This bug has been marked as a duplicate of 38862 ***
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Hmm, I take that back, reading this a little closer, this isn't actually the same issue (but sort of related anyway). I really don't know if there's much we can do about this... Jesse's probably the guy to tell us what to do here.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
17 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Jesse: any thoughts?
I don't think redirecting attachments are a problem.
What's the status of this bug? Still a security bug? Still open? Maybe the reporter wondered if it was possible for the called website to access bugzilla cookies or to launch some script/SQL request on behalf of some bugzilla user.
I don't think this is either a bug or a security bug - I agree with Jesse. Suggest WONTFIX. Gerv
Marking the bug as WONTFIX per comments 5 and 7; but letting the security flag for now. If you disagree, reopen the bug, else remove the security flag.
Severity: major → normal
Status: NEW → RESOLVED
Closed: 17 years ago → 16 years ago
OS: SunOS → All
Hardware: Sun → All
Resolution: --- → WONTFIX
Version: unspecified → 2.17.6
16 years ago
You need to log in before you can comment on or make changes to this bug.