Closed Bug 1247292 Opened 8 years ago Closed 8 years ago

Output encoding error, would be XSS if content type of response were to change.

Categories

(support.mozilla.org :: Code Quality, task)

Product:
support.mozilla.org
Component:
Code Quality
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1223970

People

(Reporter: amuntner, Unassigned)

References

(
URL
)

Details

(Keywords: sec-moderate, wsec-xss) 

If the content-type were text/html, this would be XSS. Couldn't find a way to get it reflected into a page but that doesn't mean there isn't a way. 

safe html encoded output should be used for user input to q parameter

Marking as moderate because it's not provably exploitable but I'd like to see it fixed anyway. 

https://support.mozilla.org/en-US/search/suggestions?q={searchTerms56242<script>alert(1)<%2fscript>360ed

GET /en-US/search/suggestions?q={searchTerms56242<script>alert(1)<%2fscript>360ed HTTP/1.1
Host: support.mozilla.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close


HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: support2.webapp.phx1.mozilla.com
Vary: X-Mobile,User-Agent
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-suggestions+json      <-------
(snip)

["{searchTerms56242<script>alert(1)</script>360ed", ["JavaScript settings and preferences for interactive web pages", "Warning Unresponsive script - What it means and how to fix it", (snip)
Closing, duplicate of bug 1223970, issue is safe artifact of template engine
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.