Status

Thunderbird
Security
P1
critical
RESOLVED DUPLICATE of bug 875818
5 years ago
4 years ago

People

(Reporter: Mahadev Subedi, Unassigned)

Tracking

17 Branch
x86_64
Windows 7
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 784687 [details]
thunderbird xss screenshot while clicking on reply when a malicious mail comes & victim click on replies

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36

Steps to reproduce:

Hi, there is cross site scripting vulnerability in Mozilla Thunderbird , a popular email client :
Details :
+ Version : Thunderbird 17.07 ( latest)
+ Win 7 : OS
+ Reporter : Mahadev Subedi (@blinkms)

Simply, open Mozilla Thunderbird :
++ Go to File > New > Message
++ Go to Insert > HTML
++ Paste the following html code and click Insert .
Code to paste : 
<iframe/src=data:text/html;base64,PHNjcmlwdD5wcm9tcHQoL0BibGlua21zLU1haGFkZXYtU3ViZWRpLyk8L3NjcmlwdD4=>

++ XSS / java script prompt comes with message /@blinkms-Mahadev-Subedi/

Then, how to attack :

Simply create a html  mail that contains malicious java script code  like above that works in thunderbird , send it 

to any user who uses thunderbird.

Then, when victim opens the mail he will see empty iframe , but when victim click on reply or reply all or forward 

, javascript would be executed .

(SCREENSHOT ATTACHED)

Note: We can directly attack victim with other attacking methods as well . 
# This was simple explaination . FFTC (feel free to contact) 
#Reporting.....


Actual results:

HTML & on* event js attributes on Thunderbird are not properly sanitized .


Expected results:

HTML & js events are not correctly parse, they should have restricted preview .
(Reporter)

Updated

5 years ago
Severity: normal → critical
Component: Untriaged → Security
Priority: -- → P1
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 875818
(Reporter)

Comment 2

5 years ago
Status:	RESOLVED DUPLICATE of bug 875818 (edit)
  Then if it's duplicate cc me I m not seeing this bug
As presented this bug is a duplicate of bug 875818 and as a previously reported issue cannot get a bounty. However,

(In reply to Mahadev Subedi from comment #0)
> Note: We can directly attack victim with other attacking methods as well 

if your other-methods don't involve replies/forwards of mail with HTML fragments in them then please file a separate bug or email our security address.

We know the editor filtering is broken on a class of things, and are testing the fix in Early Bird.
http://www.mozilla.org/en-US/thunderbird/channel/
Flags: sec-bounty? → sec-bounty-
Group: core-security
You need to log in before you can comment on or make changes to this bug.