Closed Bug 387547 Opened 14 years ago Closed 14 years ago

Cross site scripting possible in attachments

Categories

(Bugzilla :: Attachments & Requests, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 38862

People

(Reporter: wpvalter, Unassigned)

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: 3.0 Release

Creating a tetx file with malicious javascript, and saving it as an image attachment will cause bugzilla to render the script.

Reproducible: Always

Steps to Reproduce:
1.create a text file containing:

<script>alert("Vulnerable!")</script>

and save it as pic.gif


2.attach pic .gif to a bug
3.view / edit the attachment
Actual Results:  
In this instance I get a alert box as is the intent


Bug uncovered by Scott Laurie (scott.laurie@hewitt.com)
Attached image per reporter...
Unless I'm missing something, I don't think this is particularly major as you can already create a text/html file with the same script. and it too will be executed (and we do have bugs about how to handle that).
so far, the only way I've managed to get an alert was if i clicked on [view] using IE (which is well, being helpful). One could argue that we should protect IE users from this by scanning images, but what use is it? No matter what content type we serve, IE will almost certainly sniff. And zipping the file to send it to IE is mostly rude and probably doesn't really help much. 

IE:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)

Firefox:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007070404 Minefield/3.0a7pre

With firefox, none of the following are harmful:
https://bugzilla.mozilla.org/attachment.cgi?id=271677
The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors.

https://bugzilla.mozilla.org/attachment.cgi?id=271677&action=edit
frame containing
The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors.

Edit Attachment As Comment
><HTML><BODY><IMG src="https://bugzilla.mozilla.org/attachment.cgi?id=271677" alt="The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677” cannot be displayed, because it contains errors."/></BODY></HTML>

View Attachment As Diff
The image “https://bugzilla.mozilla.org/attachment.cgi?id=271677&action=diff&headers=0” cannot be displayed, because it contains errors.
(In reply to comment #1)
> can already create a text/html file with the same script. and it too will be
> executed (and we do have bugs about how to handle that).

Exactly. The issue is the same.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Version: unspecified → 3.0
Duplicate of bug: 38862
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.