897639 - self-xss in thunderbird :: new mail filter

Status: RESOLVED DUPLICATE of bug 875818

(Thunderbird :: Security, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

From: =?iso-8859-1?B?RmFiaeFuIEN1Y2hpZXR0aQ==?= <fabiancuchietti@hotmail.com>
To: "security@mozilla.org" <security@mozilla.org>
Subject: Self-xss in Thunderbird
Date: Wed, 24 Jul 2013 15:11:38 -0300
-----//-----
Hello,

I discovered another self-xss in Thunderbird, to compose a new mail the html editor does not filter properly.


Steps to reproduce:
 1) Compose a mail
 2) Insert
 3) HTML...
4) Now insert the following payload: "><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4">

Comment 1

[Daniel Veditz [:dveditz]]

This like the same underlying editor issue as bug 875818

Comment 2

[Fabian Cuchietti]

(In reply to Daniel Veditz [:dveditz] from comment #1)
> This like the same underlying editor issue as bug 875818

Daniel, 

 Could you add me to CC list of "875818" ?

Comment 3

[Fabian Cuchietti]

Any response?

Comment 4

[Mark Banner (:standard8)]

This is the same test case as bug 875818 comment 0 with the first POC. The only difference is an object versus iframe.

Hence marking this as duplicate.

Comment 5

[Fabian Cuchietti]

This issue is in Editor. "Self-xss" No in reply.

Comment 6

[Daniel Veditz [:dveditz]]

Sure, in this bug you're self-injecting HTML right into your own copy of the editor. We're more concerned about the reply/forward case because then the HTML fragment comes from a potential attacker, but either way it's bad filtering in the editor itself. The only difference is how the bad HTML gets in there, but it's going to be fixed by the same filter in the editor.