Closed Bug 728892 Opened 13 years ago Closed 11 years ago

The attachment "Details" page is still vulnerable to Clickjacking with SVG or XHTML attachments

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 5.0

People

(Reporter: netfuzzerr, Assigned: LpSolit)

Details

Attachments

(1 file, 1 obsolete file)

patch, v1
1.85 KB, patch
justdave
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.21 (KHTML, like Gecko) Chrome/19.0.1041.0 Safari/535.21 Steps to reproduce: Hello, The page "attachment.cgi?id=2466&action=edit" still vulnerable to clickjacking in attachment SVG and XHTML. PoC: https://landfill.bugzilla.org/bugzilla-tip/attachment.cgi?id=2466&action=edit Cheers, Mairo.
No need to restrict this bug to the security group as the discussion started publicly in bug 716283, see bug 716283 comment 19 - 24.
Assignee: general → attach-and-request
Group: bugzilla-security
Status: UNCONFIRMED → NEW
Component: Bugzilla-General → Attachments & Requests
Ever confirmed: true
Target Milestone: --- → Bugzilla 4.0
Version: unspecified → 4.2
Summary: Clickjacking in the attachment "Details" still vulnerable to Clickjacking. → The attachment "Details" page is still vulnerable to Clickjacking with SVG or XHTML attachments
Sorry I forgot that. :}
FWIW, I think that any decision about what a "safe" content type is will just be a slippery slope. As soon as we have to make that decision, we're in an arms race that we'll never win. Whitelisting would certainly be safer, but it would then remove some fairly significant functionality that users expect. And as I've mentioned before (and has been proven out) you can't actually predict that *any* content-type will be safe. I really don't have a good solution here off the top of my head, except perhaps to start to hook up some sort of heuristic analyzer to incoming Bugzilla attachments that could somehow warn you if they're malicious? I think some input from some more-versed security folks would be much appreciated here. Perhaps there are some modern browser features we could take advantage of, or something that would protect us from these sorts of issues?
A good patch for this can be dont trust in no extension. Show the stuff only in text/plain. (In reply to Max Kanat-Alexander from comment #3) > FWIW, I think that any decision about what a "safe" content type is will > just be a slippery slope. As soon as we have to make that decision, we're in > an arms race that we'll never win.
Target Milestone: Bugzilla 4.0 → ---
Attached file code.js (obsolete) —
What is your last attachment intended to show, and how? Clicking it I get "Attachment is not viewable in your browser because its MIME type (application/octet-stream) is not one that your browser is able to display. Download the attachment."
Flags: needinfo?(netfuzzerr)
Flags: needinfo?(netfuzzerr)
Attached patch patch, v1Splinter Review
Using 'sandbox' alone with no values blocks everything. Per the HTML5 spec: "the embedded page has scripting disabled, plugins disabled, forms disabled, and it cannot navigate any frames or windows other than itself (or any frames or windows it itself embeds)."
Assignee: attach-and-request → LpSolit
Attachment #783726 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8383623 - Flags: review?(justdave)
Target Milestone: --- → Bugzilla 5.0
Attachment #8383623 - Flags: review?(justdave) → review+
Flags: approval?
Flags: approval? → approval+
If you don't like this commit message, blame mcote and git for not listing files added/modified/deleted. I suppose bmo won't linkify it, despite it has all the info it needs to know which repo and branch I'm talking about. To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git d51abfd..ca7b39a master -> master
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: