Closed Bug 785818 Opened 9 years ago Closed 9 years ago

Attachment ID bugzilla 4.2.2 cross site scripting persistent


(Bugzilla :: Attachments & Requests, defect)

Not set





(Reporter:, Unassigned)



(1 file)

134.80 KB, image/jpeg
Attached image bugzz.jpg
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20120306 Firefox/3.6.28
Build ID: 20120306064154

Steps to reproduce:

Hello again.

Actual results:

I found interesting thing in Attachment ID.

Yes, i create html file and allow option delete Attachment + add xss code in Description.


If it's a new bug (not a duplicate), say me and i need some times for understand how this happened. I try and try made with attachment and..yes, it's work) but need some time for analysis.

sorry my poor english.

Expected results:

What you want..

+ we can upload files in format (exe,msi or what you want, but it's little problem or not a problem).
I'm sorry, but I don't understand... I'm looking at, and I don't see any XSS. If I click the attachment ID, I get the raw attachment, yes... Where exactly is the XSS besides the attachment itself (which is served from another domain, so same-origin policy prevents stealing of cookies...
Assignee: nobody → attach-and-request
Component: General → Attachments & Requests
Product: → Bugzilla
QA Contact: default-qa
Version: Production → 4.2.2
Yes. Now i understand) Funny.'s maybe dangerous for users. And about domain, why other domain?
We can see open (for all users, don't need login and password for see this) html attachments with xss code, we can put what we want, invisible xss code, code with download file with fake page, or other what you want, it's really dangerous. Yes, maybe some admins (if give link for him) who use bugzilla maybe say "wtf, it's xss or fake), but not all admins.
And ..i search on all bugs on and we can see :


It's maybe dangerous for users.(There are many situations where we can use it) We can see the file without using the username and password. 
If you can't prohibit file types like *.exe or *.html or others, because they are needed in bugzilla, perhaps you should restrict their download only to logged in users, so anonymous users can't see them. This could increase security.
There is a parameter to prevent attachments from being displayed in the browser and another one to serve attachments from a separate domain to prevent XSS. This is long and old story, see bug 38862.
Group: bugzilla-security
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
You need to log in before you can comment on or make changes to this bug.