Closed Bug 877643 Opened 8 years ago Closed 8 years ago

XSS in bugzilla attachments

Categories

(bugzilla.mozilla.org :: General, defect)

Production
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 38862

People

(Reporter: curtisk, Unassigned)

Details

Received: by 10.66.41.17 with HTTP; Thu, 30 May 2013 06:29:56 -0700 (PDT)
Date: Thu, 30 May 2013 18:59:56 +0530
Subject: Stored XSS in bugzilla
From: Siddhesh Gawde <coolsiddheshgawade@gmail.com>
To: Mozilla Security <security@mozilla.org>
-----//-----
Hello ,
I have found an Stored xss on bugzilla subdomain.

Poc:
Make an account-->File a bug-->Upload an HTML file containing the
following vector

<script>alert(document.domain)</script>
<script>alert(1)</script>

And submit the bug.
When any person will click on the attachment to check the poc or pic
,XSS will occur.

Eg:

http://attach.landfill.bugzilla.org/bugzilla-4.4-branch/attachment.cgi?id=2831
Status: NEW → UNCONFIRMED
Ever confirmed: false
Also the above link works even if you are not signed into your account ,it dosent show account error of authentication.
So this can be used to spread malicious files also like .exe .php etc.
please search for duplicates before filing bugs, this has been reported many times.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 38862
<sigh> This is a dupe. Perhaps we should put a document up explaining our position on this? It seems like this gets "discovered" about every 2 weeks...

Gerv
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.