Community
Participate
Working Groups
Created attachment 141365 [details] test file Build ID: N/A Steps To Reproduce: 1.Click on attached file 2.See cookie alert 3.Wonder More information:
Created attachment 141366 [details] "><img src=x onerror=alert(document.cookie)>
Comment on attachment 141366 [details] "><img src=x onerror=alert(document.cookie)> "><img src=x onerror=alert(document.cookie)>.html
Comment on attachment 141366 [details] "><img src=x onerror=alert(document.cookie)> Does not execute the code w/o user interaction as suspected.
Just for the record - uploaded file is being stored on the same subdomain as bugzilla itself. This enables stealing logged in users account by tricking them to click on the infected attachment. Maliciously crafted filenames seem no to work - as the now obsoleted other attachment showed.
This was fixed in Bugzilla 3.2 I believe. We're running 3.0.x and will be upgrading soon.
Let's close this bug so no one gets any bad ideas.
Is it time to close this bug and take off the committer-only tag? (I think so). Is this a bug that we need to disclose i.e. do we need to put the security keyword so that it is disclosed on the /security page?
> Is it time to close this bug and take off the committer-only tag? (I think so). > > Is this a bug that we need to disclose i.e. do we need to put the security > keyword so that it is disclosed on the /security page? This is a security issue with Bugzilla.. and although it's fixed in the software, we have not implemented the fix here on bugs.eclipse.org since implementing the fix means we need to reconfigure Bugzilla and DNS and all that fun stuff.
(In reply to comment #8) > > Is it time to close this bug and take off the committer-only tag? (I think so). > > > > Is this a bug that we need to disclose i.e. do we need to put the security > > keyword so that it is disclosed on the /security page? > > This is a security issue with Bugzilla.. and although it's fixed in the > software, we have not implemented the fix here on bugs.eclipse.org since > implementing the fix means we need to reconfigure Bugzilla and DNS and all that > fun stuff. Any thoughts about timing for a fix?
*** Bug 428255 has been marked as a duplicate of this bug. ***
*** Bug 571739 has been marked as a duplicate of this bug. ***
I reported the same issue today without being aware of this bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=571739
I did a bit of research here and the recommended solution from the Mozilla team is to host attachments on a separate domain: https://bugzilla.mozilla.org/show_bug.cgi?id=1112504#c1 Attachments listed on https://bugzilla.mozilla.org/show_bug.cgi?id=1464611 are hosted on bmoattachments.org: https://bug1464611.bmoattachments.org/attachment.cgi?id=8981058
I created a.bugs.eclipse.org a long time ago for this bug but never got any further. Since a separate domain would be much better, I've acquired eclipsecontent.org.
Patches pending for this.
Bugzilla attachments are now hosted on the bugzillaattachments.eclipsecontent.org domain, per the Bugzilla docs. Closing Fixed.
(In reply to Denis Roy from comment #16) > Bugzilla attachments are now hosted on the > bugzillaattachments.eclipsecontent.org domain, per the Bugzilla docs. > Closing Fixed. This is great! Thanks Denis!
> This is great! Thanks Denis! 12 years, not bad eh?
*** Bug 573145 has been marked as a duplicate of this bug. ***
