Closed
Bug 1116849
Opened 9 years ago
Closed 7 years ago
Flash XSS in http://people.mozilla.org/~nhirata/
Categories
(mozilla.org :: Video, task)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 769755
People
(Reporter: lalithr95, Unassigned)
Details
Attachments
(1 file)
127.73 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Steps to reproduce: Flash XSS in mozilla sub-domain . URL : http://people.mozilla.org/~nhirata/html_tp/Good%20Old%20Fashioned%20Pancakes%20Recipe%20-%20Allrecipes.com_files/300x250_dad_pizza.swf?clickTag=Javascript:alert%28document.cookie%29;// http://people.mozilla.org/~nhirata/html_tp/Good%20Old%20Fashioned%20Pancakes%20Recipe%20-%20Allrecipes.com_files/300x250_dad_pizza.swf?clickTag=Javascript:alert%28document.cookie%29;// 1. Open above URL in Mozilla . 2. It displays an ad . Now click on the ad which will redirect to a new tab . 3. 1st URL will display the domain where the XSS was triggered and second URL will display the cookies . Actual results: An XSS was triggered by execution of Javascript by setting the clickTag paramter in the flash . Clicking on the ad will redirect the user to respective site as per flash code . But it fails to filter external Javascript handler , thus resulting in execution of Javascript . Expected results: clickTag paramter should have filtered the special characters or filtering based on https or http protocols . So that if any attacker provides malicious js that won't get accepted by the application .
Reporter | ||
Comment 1•9 years ago
|
||
Please add sec-bounty flag ! Regards
Dupe of bug 780450? nhirata, what do you think?
Component: General → Video
Flags: needinfo?(nhirata.bugzilla)
Product: Core → mozilla.org
Summary: Flash XSS in mozilla → Flash XSS in http://people.mozilla.org/~nhirata/
Version: 34 Branch → other
Please see : https://bugzilla.mozilla.org/show_bug.cgi?id=780450#c4 *.swf was removed from that directory. To note, I do believe it is a similar if not duplicate bug. Is there anything we can do to tighten the browser itself to help protect the user from malicious post parameter Javascript?
Flags: needinfo?(nhirata.bugzilla)
Reporter | ||
Comment 4•9 years ago
|
||
Hey , Is this eligible for bounty ? I found similar issues in people.mozilla.org at different places . So this does constitute some risk as there were cookies ,donot whether they are sensitive information or not ?
Comment 5•7 years ago
|
||
This is an old bug – looks like a duplicate of #769755, in which Daniel remarks "people.mozilla.org" is intended for testing purposes and not bounty eligible:
> people.mozilla.org is for mozillians to upload random test stuff. It is not a site covered by the web bounty, and since files are not uploaded through a web interface there's really no value to an XSS on that site -- there's no auth to compromise.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•