Closed
Bug 387547
Opened 17 years ago
Closed 17 years ago
Cross site scripting possible in attachments
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
People
(Reporter: wpvalter, Unassigned)
Details
Attachments
(1 file)
30 bytes,
image/gif
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: 3.0 Release
Creating a tetx file with malicious javascript, and saving it as an image attachment will cause bugzilla to render the script.
Reproducible: Always
Steps to Reproduce:
1.create a text file containing:
<script>alert("Vulnerable!")</script>
and save it as pic.gif
2.attach pic .gif to a bug
3.view / edit the attachment
Actual Results:
In this instance I get a alert box as is the intent
Bug uncovered by Scott Laurie (scott.laurie@hewitt.com)
Unless I'm missing something, I don't think this is particularly major as you can already create a text/html file with the same script. and it too will be executed (and we do have bugs about how to handle that).
so far, the only way I've managed to get an alert was if i clicked on [view] using IE (which is well, being helpful). One could argue that we should protect IE users from this by scanning images, but what use is it? No matter what content type we serve, IE will almost certainly sniff. And zipping the file to send it to IE is mostly rude and probably doesn't really help much.
IE:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Firefox:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007070404 Minefield/3.0a7pre
With firefox, none of the following are harmful:
https://bugzilla.mozilla.org/attachment.cgi?id=271677
The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors.
https://bugzilla.mozilla.org/attachment.cgi?id=271677&action=edit
frame containing
The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors.
Edit Attachment As Comment
><HTML><BODY><IMG src="https://bugzilla.mozilla.org/attachment.cgi?id=271677" alt="The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors."/></BODY></HTML>
View Attachment As Diff
The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677&action=diff&headers=0” cannot be displayed, because it contains errors.
Comment 3•17 years ago
|
||
(In reply to comment #1)
> can already create a text/html file with the same script. and it too will be
> executed (and we do have bugs about how to handle that).
Exactly. The issue is the same.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Version: unspecified → 3.0
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
Updated•16 years ago
|
Group: bugzilla-security → webtools-security
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
Comment 4•16 years ago
|
||
This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•