Closed
Bug 868267
(CVE-2013-6674)
Opened 12 years ago
Closed 11 years ago
HTML mail compose self-XSS due to signature text
Categories
(MailNews Core :: Security, defect)
MailNews Core
Security
Tracking
(thunderbird21 affected, thunderbird22 affected, thunderbird23 unaffected, thunderbird24 unaffected, thunderbird-esr17 wontfix)
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| thunderbird21 | --- | affected |
| thunderbird22 | --- | affected |
| thunderbird23 | --- | unaffected |
| thunderbird24 | --- | unaffected |
| thunderbird-esr17 | --- | wontfix |
People
(Reporter: curtisk, Unassigned)
References
Details
(Keywords: reporter-external, sec-moderate)
Attachments
(2 files)
POC Screenshot 1
From:<fabiancuchietti@hotmail.com>
To: "security@mozilla.org" <security@mozilla.org>
Subject: SeaMonkey Mail 2.17.1 - Cross-site Scripting Stored.
Date: Thu, 2 May 2013 13:08:24 -0300
-----//-----
Hello Mozilla Security Team,
Today i found a Cross-site Scripting in Sea Monkey Mail.
Details:
Software: Sea Monkey
Version: 2.17.1
Tested on: Windows 7
Vulnerability: Cross-site Scripting Stored
Steps to reproduce:
1 ) First install SeaMonkey, then open Mail and go to the Accounts option
2 ) Click in "View setting for this account"
3 ) Now select the text box of "signature" left labeled "Use HTML" and insert the following payload:
3.p) "><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">
4) We save the settings click in OK, and we will compose a new mail.Cross-site Scripting successfully!
Proof of Concept: Screenshots.
Best Regards,
Fabián Cuchietti.
Flags: sec-bounty?
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
||
Comment 3•12 years ago
|
||
This too found in Thunderbird.
|
||
Comment 4•12 years ago
|
||
Yes, Dveditz confirmed it works on Thunderbird yesterday.
|
|
||
Comment 5•12 years ago
|
||
When this update will come?
|
||
Comment 6•12 years ago
|
||
Marking sec-high, csec-sop based on provided description.
|
|
||
Comment 7•12 years ago
|
||
Oh this requires user trickery so removing sec-high. We're thinking sec-moderate at most, but needinfo Dan since he has looked at this.
Flags: needinfo?(dveditz)
|
|
||
Comment 8•12 years ago
|
||
Of course, but this is a XSS Stored (CRITICAL)
|
|
||
Comment 9•12 years ago
|
||
Nor is it necessary to trick the user, this is stored.
|
|
||
Comment 10•12 years ago
|
||
It isn't critical if you need to convince the user to store it for you.
|
|
||
Comment 11•12 years ago
|
||
ok, I thought it would be stored critical for this application.
|
|
||
Comment 12•12 years ago
|
||
I just checked, it works well if the victim answers the mail.
Flags: needinfo?(dveditz)
|
|
||
Comment 13•12 years ago
|
||
They could check?
|
|
Reporter | |
Comment 14•12 years ago
|
||
duplicate reported, added coolsiddheshgawade@gmail.com as cc
|
||
Updated•12 years ago
|
Product: SeaMonkey → MailNews Core
Summary: XSS in Seamonkey mail → HTML mail compose self-XSS due to signature text
Version: SeaMonkey 2.17 Branch → unspecified
|
||
Comment 15•12 years ago
|
||
I've just done a bit of testing. This seems to affect Thunderbird 22 and older. 23 and 24 are unaffected. At the moment, I suspect there's probably been some core change, but I'll need to dig into it.
With a bit more testing, this doesn't affect reading email, but there is an attack vector if the sender can get the receiver to respond or forward the email. I think sec-moderate is about right here.
status-thunderbird21:
--- → affected
status-thunderbird22:
--- → affected
status-thunderbird23:
--- → unaffected
status-thunderbird24:
--- → unaffected
status-thunderbird-esr17:
--- → affected
|
|
||
Comment 17•12 years ago
|
||
The original symptoms aren't quite up to security bug bounty level, but it did prompt us to investigate and discover the somewhat worse symptoms Mark described in comment 15. Awarding a split bounty for this one.
|
|
||
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Comment 18•11 years ago
|
||
As I've just commented on bug 875818 comment 24:
Now Thunderbird 17.0.x series is obsolete and updates have been offered to TB 17esr users, I have re-tested Thunderbird 24.0.x and it is still unaffected by this issue. Therefore resolving this as WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
|
||
Comment 19•11 years ago
|
||
Marking fixed so it gets on the radar for a vuln note. See https://bugzilla.mozilla.org/show_bug.cgi?id=875818#c27 for more.
Resolution: WORKSFORME → FIXED
|
|
||
Updated•11 years ago
|
Alias: CVE-2013-6674
|
|
||
Comment 20•11 years ago
|
||
Opening up this bug since it has been fixed for some time and is being discussed publicly.
Group: core-security
|
|
||
Comment 21•11 years ago
|
||
All credits to Ateeq ur Rehman Khan ? I was the first who reported this.
|
|
||
Comment 22•11 years ago
|
||
(In reply to Fabian Cuchietti from comment #21)
> All credits to Ateeq ur Rehman Khan ? I was the first who reported this.
Credits where? Are you seeing us crediting them somewhere?
|
|
||
Updated•11 years ago
|
Flags: needinfo?(abillings)
|
|
||
Updated•11 years ago
|
Flags: needinfo?(abillings)
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•