Closed Bug 900768 Opened 12 years ago Closed 12 years ago

XSS in Thunderbird

Categories

(Thunderbird :: Security, defect, P1)

Product:
Thunderbird
Component:
Security
Version:
17 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 875818

People

(Reporter: subedimahadev, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external)

Attachments

(1 file)

thunderbird xss screenshot while clicking on reply when a malicious mail comes & victim click on replies
61.68 KB, image/png
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 Steps to reproduce: Hi, there is cross site scripting vulnerability in Mozilla Thunderbird , a popular email client : Details : + Version : Thunderbird 17.07 ( latest) + Win 7 : OS + Reporter : Mahadev Subedi (@blinkms) Simply, open Mozilla Thunderbird : ++ Go to File > New > Message ++ Go to Insert > HTML ++ Paste the following html code and click Insert . Code to paste : <iframe/src=data:text/html;base64,PHNjcmlwdD5wcm9tcHQoL0BibGlua21zLU1haGFkZXYtU3ViZWRpLyk8L3NjcmlwdD4=> ++ XSS / java script prompt comes with message /@blinkms-Mahadev-Subedi/ Then, how to attack : Simply create a html mail that contains malicious java script code like above that works in thunderbird , send it to any user who uses thunderbird. Then, when victim opens the mail he will see empty iframe , but when victim click on reply or reply all or forward , javascript would be executed . (SCREENSHOT ATTACHED) Note: We can directly attack victim with other attacking methods as well . # This was simple explaination . FFTC (feel free to contact) #Reporting..... Actual results: HTML & on* event js attributes on Thunderbird are not properly sanitized . Expected results: HTML & js events are not correctly parse, they should have restricted preview .
URL: http://www.mozilla.org/en-US/thunderb...
Severity: normal → critical
Component: Untriaged → Security
Priority: -- → P1
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED DUPLICATE of bug 875818 (edit) Then if it's duplicate cc me I m not seeing this bug
As presented this bug is a duplicate of bug 875818 and as a previously reported issue cannot get a bounty. However, (In reply to Mahadev Subedi from comment #0) > Note: We can directly attack victim with other attacking methods as well if your other-methods don't involve replies/forwards of mail with HTML fragments in them then please file a separate bug or email our security address. We know the editor filtering is broken on a class of things, and are testing the fix in Early Bird. http://www.mozilla.org/en-US/thunderbird/channel/
Flags: sec-bounty? → sec-bounty-
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: