Closed Bug 395338 Opened 17 years ago Closed 17 years ago

XSS hole on store.mozilla.org

Categories

(Websites :: store.mozilla.org, defect)

Product:
Websites
Component:
store.mozilla.org
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: clouserw, Assigned: mike.bommarito)

References

(
URL
)

Details

(Keywords: wsec-xss) 

Posted on a security forum here: http://sla.ckers.org/forum/read.php?3,44,15626#msg-15626

XSS is here (warning, several alerts()):
http://store.mozilla.org/product.php?code=mz1303223%22%3E%3Cscript%3Ealert(1)%3C/script%3E&catid=&offset=0

It looks like they emailed customer service at the store but customer service didn't understand the question.
Severity: major → critical
Mike, this needs to be fixed ASAP, please.

John, can you please follow-up with GatewayCDI to make sure this gets fixed and quickly?
URL: http://sla.ckers.org/forum/read.php?3...
Hi Mike. Like Reed said, we need to get this fixed as soon as possible. I'll check in with you tomorrow to see how things are coming.

Once this is fixed, it would be best if you guys could do a site audit to make sure there aren't other things that could be exploited.

Thanks,
John
Assignee: jslater → mike.bommarito
Let us know if we can help somehow.
I have sanitized the data being passed and redirected on no product found.

Thanks,

Mike
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.