Closed Bug 763346 Opened 12 years ago Closed 12 years ago

Clickjacking is possible in buglist.cgi?bug_id=somebug&tweak=1 on Firefox

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 761667

People

(Reporter: netfuzzerr, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1163.0 Safari/537.1

Steps to reproduce:

Hi,

Firefox ignores X-FRAME-OPTIONS when Content-disposition:inline; filename="bugs-2012-06-10.html" is setted and may allow clickjacking attacks.

Patch may be change stuff to Content-disposition:download; filename="bugs-2012-06-10.html" or just add framebuster on page source "<script>if(top.location != self.location) top.location = self.location; }</script>".

PoC: data:text/html,<iframe height=800 width=800 frameborder=0 src="https://landfill.bugzilla.org/bugzilla-tip/buglist.cgi?bug_id=17249&tweak=1" border=0></iframe>

Works only on Firefox.

Cheers,
Mario.
Just correcting, framebuster is "<script>if(top.location != self.location) top.location = self.location;</script>".
This has nothing to do with Content-disposition. It's a bug in Firefox, not in Bugzilla.

Keeping this bug in the security group till bug 761667 is fixed.
Assignee: general → query-and-buglist
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Component: Bugzilla-General → Query/Bug List
Resolution: --- → DUPLICATE
May I see the problem?

(In reply to Frédéric Buclin from comment #2)
> This has nothing to do with Content-disposition. It's a bug in Firefox, not
> in Bugzilla.
> 
> Keeping this bug in the security group till bug 761667 is fixed.
> 
> *** This bug has been marked as a duplicate of bug 761667 ***
Fixed in Firefox 22, see https://www.mozilla.org/security/announce/2013/mfsa2013-58.html
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.