Closed Bug 387547 Opened 17 years ago Closed 17 years ago

Cross site scripting possible in attachments

Categories

(Bugzilla :: Attachments & Requests, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 38862

People

(Reporter: wpvalter, Unassigned)

Details

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Build Identifier: 3.0 Release Creating a tetx file with malicious javascript, and saving it as an image attachment will cause bugzilla to render the script. Reproducible: Always Steps to Reproduce: 1.create a text file containing: <script>alert("Vulnerable!")</script> and save it as pic.gif 2.attach pic .gif to a bug 3.view / edit the attachment Actual Results: In this instance I get a alert box as is the intent Bug uncovered by Scott Laurie (scott.laurie@hewitt.com)
Attached image per reporter...
Unless I'm missing something, I don't think this is particularly major as you can already create a text/html file with the same script. and it too will be executed (and we do have bugs about how to handle that).
so far, the only way I've managed to get an alert was if i clicked on [view] using IE (which is well, being helpful). One could argue that we should protect IE users from this by scanning images, but what use is it? No matter what content type we serve, IE will almost certainly sniff. And zipping the file to send it to IE is mostly rude and probably doesn't really help much. IE: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727) Firefox: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007070404 Minefield/3.0a7pre With firefox, none of the following are harmful: https://bugzilla.mozilla.org/attachment.cgi?id=271677 The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors. https://bugzilla.mozilla.org/attachment.cgi?id=271677&action=edit frame containing The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors. Edit Attachment As Comment ><HTML><BODY><IMG src="https://bugzilla.mozilla.org/attachment.cgi?id=271677" alt="The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors."/></BODY></HTML> View Attachment As Diff The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677&action=diff&headers=0” cannot be displayed, because it contains errors.
(In reply to comment #1) > can already create a text/html file with the same script. and it too will be > executed (and we do have bugs about how to handle that). Exactly. The issue is the same.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Version: unspecified → 3.0
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: