688431 - Cross site scripting by changing content type of attachment file.

Status: VERIFIED INVALID

(Bugzilla :: Bugzilla-General, defect)

Description

[Anil Aphale]

Attachment: bugzilla XSS Vulnerability_1.pdf

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Build ID: 20110902133214

Steps to reproduce:

Steps to reproduce vulnerability:

Step1: Login into application Create new bug
 
Step2: Click on attach test cases and attach the image created for content sniffing
 
Step3: Click on Attached and click on Edit Details and and change the content type to text/html and submit 

Step4: Click on attachment file to execute javascript



Actual results:

JavaScript Got Executed


Expected results:

Javascript should not get executed.

User should not be able to change content type
if it is required at-least text/html and similar content type which browser detect as script able should be disallowed.

Comment 1

[Gervase Markham [:gerv]]

What is the actual vulnerability here? Bugzilla attachments are served from a different domain (one per bug, in fact) and so there is no cookie-stealing risk.

It is a known feature that JavaScript can be uploaded to Bugzilla and, if you click to say you want to execute it, it will be executed. If you can get it to execute automatically, without the victim (which needs to be someone other than the person attaching the file) choosing to execute it, then that might be a vulnerability.

Gerv

Comment 2

[Frédéric Buclin]

There is no XSS as you can have all attachments served from an alterate host. If you didn't enable this feature, then you should. It's well known that attachments aren't filtered in any way, and that the user takes the risk to execute JS. Marking the bug as invalid as the problem described in the bug summary and comment 0 are not bugs, but so by design (and is a public behavior, not something we try to hide).