Closed
Bug 688431
Opened 13 years ago
Closed 13 years ago
Cross site scripting by changing content type of attachment file.
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: 41.w4r10r, Unassigned)
Details
Attachments
(1 file)
402.36 KB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Build ID: 20110902133214 Steps to reproduce: Steps to reproduce vulnerability: Step1: Login into application Create new bug Step2: Click on attach test cases and attach the image created for content sniffing Step3: Click on Attached and click on Edit Details and and change the content type to text/html and submit Step4: Click on attachment file to execute javascript Actual results: JavaScript Got Executed Expected results: Javascript should not get executed. User should not be able to change content type if it is required at-least text/html and similar content type which browser detect as script able should be disallowed.
Comment 1•13 years ago
|
||
What is the actual vulnerability here? Bugzilla attachments are served from a different domain (one per bug, in fact) and so there is no cookie-stealing risk. It is a known feature that JavaScript can be uploaded to Bugzilla and, if you click to say you want to execute it, it will be executed. If you can get it to execute automatically, without the victim (which needs to be someone other than the person attaching the file) choosing to execute it, then that might be a vulnerability. Gerv
Comment 2•13 years ago
|
||
There is no XSS as you can have all attachments served from an alterate host. If you didn't enable this feature, then you should. It's well known that attachments aren't filtered in any way, and that the user takes the risk to execute JS. Marking the bug as invalid as the problem described in the bug summary and comment 0 are not bugs, but so by design (and is a public behavior, not something we try to hide).
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•