Attachment ID bugzilla 4.2.2 cross site scripting persistent

RESOLVED DUPLICATE of bug 38862

Status

()

RESOLVED DUPLICATE of bug 38862
6 years ago
6 years ago

People

(Reporter: insecurity.ro, Unassigned)

Tracking

Details

Attachments

(1 attachment)

134.80 KB, image/jpeg
Details
(Reporter)

Description

6 years ago
Created attachment 655548 [details]
bugzz.jpg

User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Build ID: 20120306064154

Steps to reproduce:

Hello again.




Actual results:

I found interesting thing in Attachment ID.

http://bug17583.1zxl51jv7q3c.demo.bugzilla.org/attachment.cgi?id=2344

Yes, i create html file and allow option delete Attachment + add xss code in Description.

Video:

http://www.youtube.com/watch?v=Xqez9C2bqyE

If it's a new bug (not a duplicate), say me and i need some times for understand how this happened. I try and try made with attachment and..yes, it's work) but need some time for analysis.

sorry my poor english.



Expected results:

What you want..

+ we can upload files in format (exe,msi or what you want, but it's little problem or not a problem).
I'm sorry, but I don't understand... I'm looking at https://1zxl51jv7q3c.demo.bugzilla.org/attachment.cgi?id=2344&action=delete, and I don't see any XSS. If I click the attachment ID, I get the raw attachment, yes... Where exactly is the XSS besides the attachment itself (which is served from another domain, so same-origin policy prevents stealing of cookies...
Assignee: nobody → attach-and-request
Component: General → Attachments & Requests
Product: bugzilla.mozilla.org → Bugzilla
QA Contact: default-qa
Version: Production → 4.2.2
(Reporter)

Comment 2

6 years ago
Yes. Now i understand) Funny. But..it's maybe dangerous for users. And about domain, http://i49.tinypic.com/2vcb195.jpg why other domain?
We can see open (for all users, don't need login and password for see this) html attachments with xss code, we can put what we want, invisible xss code, code with download file with fake page, or other what you want, it's really dangerous. Yes, maybe some admins (if give link for him) who use bugzilla maybe say "wtf, it's xss or fake), but not all admins.
(Reporter)

Comment 4

6 years ago
And ..i search on all bugs on bugzilla.org and we can see :

example:

https://bugzilla.mozilla.org/attachment.cgi?id=563030
(.exe)

It's maybe dangerous for users.(There are many situations where we can use it) We can see the file without using the username and password. 
If you can't prohibit file types like *.exe or *.html or others, because they are needed in bugzilla, perhaps you should restrict their download only to logged in users, so anonymous users can't see them. This could increase security.

Comment 5

6 years ago
There is a parameter to prevent attachments from being displayed in the browser and another one to serve attachments from a separate domain to prevent XSS. This is long and old story, see bug 38862.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
You need to log in before you can comment on or make changes to this bug.