Closed
Bug 868267
(CVE-2013-6674)
Opened 11 years ago
Closed 11 years ago
HTML mail compose self-XSS due to signature text
Categories
(MailNews Core :: Security, defect)
MailNews Core
Security
Tracking
(thunderbird21 affected, thunderbird22 affected, thunderbird23 unaffected, thunderbird24 unaffected, thunderbird-esr17 wontfix)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
thunderbird21 | --- | affected |
thunderbird22 | --- | affected |
thunderbird23 | --- | unaffected |
thunderbird24 | --- | unaffected |
thunderbird-esr17 | --- | wontfix |
People
(Reporter: curtisk, Unassigned)
References
Details
(Keywords: sec-moderate)
Attachments
(2 files)
From:<fabiancuchietti@hotmail.com> To: "security@mozilla.org" <security@mozilla.org> Subject: SeaMonkey Mail 2.17.1 - Cross-site Scripting Stored. Date: Thu, 2 May 2013 13:08:24 -0300 -----//----- Hello Mozilla Security Team, Today i found a Cross-site Scripting in Sea Monkey Mail. Details: Software: Sea Monkey Version: 2.17.1 Tested on: Windows 7 Vulnerability: Cross-site Scripting Stored Steps to reproduce: 1 ) First install SeaMonkey, then open Mail and go to the Accounts option 2 ) Click in "View setting for this account" 3 ) Now select the text box of "signature" left labeled "Use HTML" and insert the following payload: 3.p) "><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4"> 4) We save the settings click in OK, and we will compose a new mail.Cross-site Scripting successfully! Proof of Concept: Screenshots. Best Regards, Fabián Cuchietti.
Flags: sec-bounty?
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
This too found in Thunderbird.
Comment 4•11 years ago
|
||
Yes, Dveditz confirmed it works on Thunderbird yesterday.
Comment 5•11 years ago
|
||
When this update will come?
Comment 6•11 years ago
|
||
Marking sec-high, csec-sop based on provided description.
Comment 7•11 years ago
|
||
Oh this requires user trickery so removing sec-high. We're thinking sec-moderate at most, but needinfo Dan since he has looked at this.
Flags: needinfo?(dveditz)
Comment 8•11 years ago
|
||
Of course, but this is a XSS Stored (CRITICAL)
Comment 9•11 years ago
|
||
Nor is it necessary to trick the user, this is stored.
Comment 10•11 years ago
|
||
It isn't critical if you need to convince the user to store it for you.
Comment 11•11 years ago
|
||
ok, I thought it would be stored critical for this application.
Comment 12•11 years ago
|
||
I just checked, it works well if the victim answers the mail.
Flags: needinfo?(dveditz)
Comment 13•11 years ago
|
||
They could check?
Reporter | ||
Comment 14•11 years ago
|
||
duplicate reported, added coolsiddheshgawade@gmail.com as cc
Updated•11 years ago
|
Product: SeaMonkey → MailNews Core
Summary: XSS in Seamonkey mail → HTML mail compose self-XSS due to signature text
Version: SeaMonkey 2.17 Branch → unspecified
Comment 15•11 years ago
|
||
I've just done a bit of testing. This seems to affect Thunderbird 22 and older. 23 and 24 are unaffected. At the moment, I suspect there's probably been some core change, but I'll need to dig into it. With a bit more testing, this doesn't affect reading email, but there is an attack vector if the sender can get the receiver to respond or forward the email. I think sec-moderate is about right here.
status-thunderbird21:
--- → affected
status-thunderbird22:
--- → affected
status-thunderbird23:
--- → unaffected
status-thunderbird24:
--- → unaffected
status-thunderbird-esr17:
--- → affected
Comment 17•11 years ago
|
||
The original symptoms aren't quite up to security bug bounty level, but it did prompt us to investigate and discover the somewhat worse symptoms Mark described in comment 15. Awarding a split bounty for this one.
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 18•11 years ago
|
||
As I've just commented on bug 875818 comment 24: Now Thunderbird 17.0.x series is obsolete and updates have been offered to TB 17esr users, I have re-tested Thunderbird 24.0.x and it is still unaffected by this issue. Therefore resolving this as WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Comment 19•10 years ago
|
||
Marking fixed so it gets on the radar for a vuln note. See https://bugzilla.mozilla.org/show_bug.cgi?id=875818#c27 for more.
Resolution: WORKSFORME → FIXED
Updated•10 years ago
|
Alias: CVE-2013-6674
Comment 20•10 years ago
|
||
Opening up this bug since it has been fixed for some time and is being discussed publicly.
Group: core-security
Comment 21•10 years ago
|
||
All credits to Ateeq ur Rehman Khan ? I was the first who reported this.
Comment 22•10 years ago
|
||
(In reply to Fabian Cuchietti from comment #21) > All credits to Ateeq ur Rehman Khan ? I was the first who reported this. Credits where? Are you seeing us crediting them somewhere?
Updated•10 years ago
|
Flags: needinfo?(abillings)
Updated•10 years ago
|
Flags: needinfo?(abillings)
You need to log in
before you can comment on or make changes to this bug.
Description
•