Closed
Bug 1116754
Opened 9 years ago
Closed 9 years ago
Mozilla.org is vulnerable to xss vulnerability.
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: alfredgotu, Assigned: pmac)
Details
(Keywords: sec-high)
Attachments
(1 file)
|
321.40 KB,
image/jpeg
|
Details |
xss.jpg
Hello, -Description: My name is Hamza Bettache and i'm a web app security researcher,as i was trying to download mozzila firefox i've found that the newsletter's form is vulnerable to xss vulnerability (cross site scritping),the inputs country,lang and fmt are not sanitized (filtred),and the attacker can inject his javascript payload to make a successful xss attack Steps to reproduce the vulnerability: 1- go to https://www.mozilla.org/fr/newsletter/ and fill in the necessary informations,use a web proxy like BurpSuite to intercept the request. -2 while intercpting the request we get the following post : POST /fr/newsletter/ HTTP/1.1 Referer: https://www.mozilla.org/fr/newsletter/ newsletters=mozilla-and-you&source_url=https%3A%2F%2Fwww.mozilla.org%2Ffr%2Fnewsletter%2F&email=adressss%40hotmail.fr&country=dz&lang=fr&fmt=H&privacy=on we change one of three parameters we've talked above to our payload wich will be <svg/onload=alert("xss")> so the request well as the following : POST /fr/newsletter/ HTTP/1.1 Referer: https://www.mozilla.org/fr/newsletter/ newsletters=mozilla-and-you&source_url=https%3A%2F%2Fwww.mozilla.org%2Ffr%2Fnewsletter%2F&email=adressss%40hotmail.fr&country=<svg/onload=alert("xss")>&lang=fr&fmt=H&privacy=on and we get a pop-up message wich confirms xss vulnerability : link of a jpeg image: http://im48.gulfup.com/UtNtVe.jpg here's a POC (proof of concept) : http://www.youtube.com/watch?v=vk_REGut7J8&feature=youtu.be i hope you'll fix it as soon as possible regards... Hamza.
|
||
Updated•9 years ago
|
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Firefox → mozilla.org
QA Contact: shyam
Version: unspecified → other
|
||
Updated•9 years ago
|
Group: core-security → websites-security
| Comment hidden (off-topic) |
|
|
||
Updated•9 years ago
|
Assignee: server-ops → nobody
Component: Server Operations → General
Product: mozilla.org → www.mozilla.org
QA Contact: shyam
|
|
||
Comment 2•9 years ago
|
||
Please be patient and wait for developers to take a look at this issue. As I said in email, January 1st is a national holiday. This bug was also opened in the wrong product and component and unlikely to be seen there.
|
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
Assignee | |
Comment 3•9 years ago
|
||
The issue is with the AJAX-based form submission. The error messages returned can contain unsanitized user input and will thus result in the reported behavior. I should have a fix in a PR shortly. Thanks for the report!
Assignee: nobody → pmac
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 4•9 years ago
|
||
This was fixed in https://github.com/pmclanahan/bedrock/commit/55d8a0ebfab931f96903f2c3f7b7d21aa16ffe47 which is now in production.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 5•9 years ago
|
||
Hello, thank you for your reply it's good to have the bug fixed, i'm wondring about my bounty ? thanks again regards...
|
|
||
Comment 6•9 years ago
|
||
The bounty committee meets once a week. We will consider this bug the next time we meet.
|
|
Reporter | |
Comment 7•9 years ago
|
||
Thank you i'm waiting to hear from you my regards....
|
||
Updated•9 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•