Closed Bug 716265 Opened 13 years ago Closed 13 years ago

Bugzilla HTML attached allow redirect users.

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 554121

People

(Reporter: netfuzzerr, Unassigned)

Details

Attachments

(4 files)

repro.html
57 bytes, text/html
Details
only a test, ignore.
119 bytes, text/html
Details
test only.
105 bytes, text/html
Details
test
261 bytes, text/html
Details
Attached file repro.html 
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Steps to reproduce:

Hello,

There is a vulnerability in Bugzilla that allows an attachment to redirect users to other sites when clicking "Details" if the attached "text / html" contain a script by manipulating the "top" of javascript allows you to redirect scripts.

Reproduce:
1. Click in details on file attached.
2. see you be redirected to Google.

Regards,
Mario
Attachment #586718 - Attachment mime type: text/plain → text/html
Attached file only a test, ignore. 

    
    

    
  
Comment on attachment 586723 [details]
only a test, ignore.

><iframe src="https://landfill.bugzilla.org/bugzilla-tip/userprefs.cgi?tab=account" height="1000" width="1000"></iframe>

        Attachment #586723 -
        Attachment mime type: text/plain → text/htm

    
  

        Attachment #586723 -
        Attachment mime type: text/htm → text/html

    
    

    
  
Comment on attachment 586723 [details]
only a test, ignore.

<iframe src="https://bugzilla.mozilla.org/userprefs.cgi?tab=account" height="1000" width="1000"></iframe>

    
    

    
  

      
      
      
      

        Attached file
          
        test only.
      

    


  

    
  

        Attachment #586724 -
        Attachment mime type: text/plain → text/html

    
    

    
  

      
      
      
      

        Attached file
          
        test
      

    


  

    
    

    
  
Comment on attachment 586725 [details]
test

><iframe id="iframe" src="https://bugzilla.mozilla.org/userprefs.cgi?tab=account" height="1000" width="1000" onload="c();"></iframe>
><script>
>function c(){
>e=document.getElementById("iframe").contentDocument.getElementById("bugzilla-body");
>alert(e);
>}
></script>

        Attachment #586725 -
        Attachment mime type: text/plain → text/html

    
    

    
  
We already asked you to not use this Bugzilla installation for your testing! Please use landfill instead.

There is nothing new here which hasn't been discussed several times.
Assignee: general → attach-and-request
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Component: Bugzilla-General → Attachments & Requests
Resolution: --- → DUPLICATE

    
    

    
  
I'm sorry, i was study a clickjacking vulnerability in landfill, i was only checking if works too in bugzilla.

    
    

    
  
Bug 554121 is a more accurate bug to point to.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: