1238593 - Improper output encoding on support.mozilla.org search dialog results, self-xss

Status: RESOLVED DUPLICATE of bug 1223970

(support.mozilla.org :: Questions, task)

Description

[Lnazi Jubaer]

Attachment: Screenshot_2016-01-11-21-53-22.png

User Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; PrimoC4 Build/WALTON) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.8.0.718 U3/0.8.0 Mobile Safari/534.30

Steps to reproduce:

Go to:  https://support.mozilla.org/en-US/questions/new/desktop

Put this payload into the search :   "><p id="\u0070rompt(1)"onmouseover=\u0065val(id) //


Actual results:

Js execution (Prompt box)


Expected results:

Plan text come out

Comment 1

[Adam Muntner [:adamm] (use NEEDINFO)]

Output encoding issue: unicode characters are not correctly output encoded into a context-safe HTML entity encoding format.

This example is self-xss and not exploitable to the extent we analyzed it, but there could be other places on the website that also use the same output encoding mechanism which could be vulnerable.

A review of the output encoding used for sanitization should be performed on sumo to look for other instances, identify the root cause, and fix it.

Comment 2

[Lnazi Jubaer]

Is there gonna be any hof function?

Comment 3

[Michael Cooper [:mythmon]]

I'm fairly sure this is the same problem reported and fixed in bug 1223970. I can't reproduce it following the steps in comment 1.

I don't know what a hof function is.