Closed Bug 1116849 Opened 9 years ago Closed 7 years ago

Flash XSS in http://people.mozilla.org/~nhirata/

Categories

(mozilla.org :: Video, task)

Product:
mozilla.org
Component:
Video
Platform:
x86_64
Windows 8.1
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 769755

People

(Reporter: lalithr95, Unassigned)

Details

Attachments

(1 file)

Mozilla XSS 1.png
127.73 KB, image/png
Details
Attached image Mozilla XSS 1.png 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

Steps to reproduce:

Flash XSS in mozilla sub-domain .

URL : http://people.mozilla.org/~nhirata/html_tp/Good%20Old%20Fashioned%20Pancakes%20Recipe%20-%20Allrecipes.com_files/300x250_dad_pizza.swf?clickTag=Javascript:alert%28document.cookie%29;//

http://people.mozilla.org/~nhirata/html_tp/Good%20Old%20Fashioned%20Pancakes%20Recipe%20-%20Allrecipes.com_files/300x250_dad_pizza.swf?clickTag=Javascript:alert%28document.cookie%29;//

1. Open above URL in Mozilla .
2. It displays an ad . Now click on the ad which will redirect to a new tab .
3. 1st URL will display the domain where the XSS was triggered and second URL will display the cookies .



Actual results:

An XSS was triggered by execution of Javascript by setting the clickTag paramter in the flash . Clicking on the ad will redirect the user to respective site as per flash code . But it fails to filter external Javascript handler , thus resulting in execution of Javascript .


Expected results:

clickTag paramter should have filtered the special characters or filtering based on https or http protocols  . So that if any attacker provides malicious js that won't get accepted by the application .
Please add sec-bounty flag ! 

Regards
Dupe of bug 780450? nhirata, what do you think?
Component: General → Video
Flags: needinfo?(nhirata.bugzilla)
Product: Core → mozilla.org
Summary: Flash XSS in mozilla → Flash XSS in http://people.mozilla.org/~nhirata/
Version: 34 Branch → other
Please see : https://bugzilla.mozilla.org/show_bug.cgi?id=780450#c4
  *.swf was removed from that directory.

To note, I do believe it is a similar if not duplicate bug.  Is there anything we can do to tighten the browser itself to help protect the user from malicious post parameter Javascript?
Flags: needinfo?(nhirata.bugzilla)
Hey ,

Is this eligible for bounty ?
I found similar issues in people.mozilla.org at different places . So this does constitute some risk as there were cookies ,donot whether they are sensitive information or not ?
This is an old bug – looks like a duplicate of #769755, in which Daniel remarks "people.mozilla.org" is intended for testing purposes and not bounty eligible:

> people.mozilla.org is for mozillians to upload random test stuff. It is not a site covered by the web bounty, and since files are not uploaded through a web interface there's really no value to an XSS on that site -- there's no auth to compromise.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: