Closed
Bug 985704
Opened 10 years ago
Closed 10 years ago
Execution cross-site scripting
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mayitosj09, Unassigned)
References
Details
Attachments
(1 file)
1022 bytes,
application/force-download
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release) Build ID: 20140212131424 Steps to reproduce: 1: Download the archive attached 2: Decompress the archive and open the document "Execute First" 3: Click the button that says "click to back home" Note: Only works with firefox, tested in chrome and internet explorer Actual results: Is opened one alert with the xss code
Reporter | ||
Comment 1•10 years ago
|
||
link of the video: https://www.youtube.com/watch?v=HOiZGO8KViI
Comment 2•10 years ago
|
||
This doesn't appear to be a Firefox issue. There is a reflected XSS bug on http://www.futboltotal.com.mx/?s=<XSS HERE> http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z The supplied code opens an iframe and changes the location of the parent to the above site passing in a XSS payload in the s parameter. Changing the XSS payload to alert(document.domain) shows that the code is executing on the www.futboltotal.com.mx domain. Unless there is something I'm missing, I will close this bug as INVALID
Flags: needinfo?(mayitosj09)
Reporter | ||
Comment 3•10 years ago
|
||
Yes, but it only works with firefox, chrome and explorer in it does not, firefox runs automatically without asking you, which does not happen in another browser.
Flags: needinfo?(mayitosj09)
Reporter | ||
Comment 4•10 years ago
|
||
The link I posted was just an example
Comment 5•10 years ago
|
||
The issue appears to be that Firefox doesn't have a XSS filter. I tested on Chrome and there is no alert as mentioned. The console shows The XSS Auditor refused to execute a script in 'http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. IE has a similar message for the XSS filter. However, upon disabling the XSS protection, the attack works in chrome as well. I am going to resolve this bug. Please follow up with the owners of futboltotal.com.mx to fix the XSS on their side. See bug 528661 for the current status of the xss filter
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•