Closed Bug 985704 Opened 10 years ago Closed 10 years ago

Execution cross-site scripting

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
27 Branch
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mayitosj09, Unassigned)

References

Details

Attachments

(1 file)

XSS Mozilla By Mario San Juan.rar
1022 bytes, application/force-download
Details 
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140212131424

Steps to reproduce:

1: Download the archive attached
2: Decompress the archive and open the document "Execute First"
3: Click the button that says "click to back home"
Note: Only works with firefox, tested in chrome and internet explorer


Actual results:

Is opened one alert with the xss code
link of the video: https://www.youtube.com/watch?v=HOiZGO8KViI
This doesn't appear to be a Firefox issue. There is a reflected XSS bug on http://www.futboltotal.com.mx/?s=<XSS HERE>

http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z

The supplied code opens an iframe and changes the location of the parent to the above site passing in a XSS payload in the s parameter. Changing the XSS payload to alert(document.domain) shows that the code is executing on the www.futboltotal.com.mx domain. Unless there is something I'm missing, I will close this bug as INVALID
Flags: needinfo?(mayitosj09)
Yes, but it only works with firefox, chrome and explorer in it does not, firefox runs automatically without asking you, which does not happen in another browser.
Flags: needinfo?(mayitosj09)
The link I posted was just an example
The issue appears to be that Firefox doesn't have a XSS filter. I tested on Chrome and there is no alert as mentioned. The console shows

The XSS Auditor refused to execute a script in 'http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 

IE has a similar message for the XSS filter. However, upon disabling the XSS protection, the attack works in chrome as well. I am going to resolve this bug. Please follow up with the owners of futboltotal.com.mx to fix the XSS on their side. See bug 528661 for the current status of the xss filter
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
See Also: → xssfilter
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: