Last Comment Bug 1116754 - Mozilla.org is vulnerable to xss vulnerability.
: Mozilla.org is vulnerable to xss vulnerability.
Status: RESOLVED FIXED
: sec-high
Product: www.mozilla.org
Classification: Other
Component: General (show other bugs)
: other
: x86 Windows 8.1
-- normal
: ---
Assigned To: Paul [:pmac] McLanahan
:
:
Mentors:
Depends on:
Blocks: 835434
  Show dependency treegraph
 
Reported: 2014-12-31 04:54 PST by Hamza Bettache
Modified: 2015-09-09 12:50 PDT (History)
5 users (show)
abillings: sec‑bounty+
See Also:
Locale:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
xss.jpg (321.40 KB, image/jpeg)
2014-12-31 04:54 PST, Hamza Bettache
no flags Details

Description User image Hamza Bettache 2014-12-31 04:54:36 PST
Created attachment 8542956 [details]
xss.jpg

Hello,

-Description:

My name is Hamza Bettache and i'm a web app security researcher,as i was trying to download mozzila firefox

i've found that the newsletter's form is vulnerable to xss vulnerability (cross site scritping),the inputs country,lang and 

fmt are not sanitized (filtred),and the attacker can inject his javascript payload to make a successful xss attack 

Steps to reproduce the vulnerability:

1- go to https://www.mozilla.org/fr/newsletter/ and fill in the necessary informations,use a web proxy like BurpSuite 

to intercept the request.

-2 while intercpting the request we get the following post :

POST /fr/newsletter/ HTTP/1.1

Referer: https://www.mozilla.org/fr/newsletter/

newsletters=mozilla-and-you&source_url=https%3A%2F%2Fwww.mozilla.org%2Ffr%2Fnewsletter%2F&email=adressss%40hotmail.fr&country=dz&lang=fr&fmt=H&privacy=on

we change one of three parameters we've talked above to our payload wich will be <svg/onload=alert("xss")>

so the request well as the following : 

POST /fr/newsletter/ HTTP/1.1

Referer: https://www.mozilla.org/fr/newsletter/

newsletters=mozilla-and-you&source_url=https%3A%2F%2Fwww.mozilla.org%2Ffr%2Fnewsletter%2F&email=adressss%40hotmail.fr&country=<svg/onload=alert("xss")>&lang=fr&fmt=H&privacy=on

and we get a pop-up message wich confirms xss vulnerability :

link of a jpeg image:

http://im48.gulfup.com/UtNtVe.jpg

here's a POC (proof of concept) :

http://www.youtube.com/watch?v=vk_REGut7J8&feature=youtu.be

i hope you'll fix it as soon as possible

regards...

Hamza.
Comment 1 User image Hamza Bettache 2015-01-02 08:30:53 PST Comment hidden (off-topic)
Comment 2 User image Al Billings [:abillings] 2015-01-02 09:12:33 PST
Please be patient and wait for developers to take a look at this issue. As I said in email, January 1st is a national holiday. This bug was also opened in the wrong product and component and unlikely to be seen there.
Comment 3 User image Paul [:pmac] McLanahan 2015-01-06 07:46:27 PST
The issue is with the AJAX-based form submission. The error messages returned can contain unsanitized user input and will thus result in the reported behavior.

I should have a fix in a PR shortly.

Thanks for the report!
Comment 4 User image Josh Mize [:jgmize] 2015-01-06 09:12:33 PST
This was fixed in https://github.com/pmclanahan/bedrock/commit/55d8a0ebfab931f96903f2c3f7b7d21aa16ffe47 which is now in production.
Comment 5 User image Hamza Bettache 2015-01-07 07:22:04 PST
Hello,
thank you for your reply
it's good to have the bug fixed,
i'm wondring about my bounty ? 
thanks again
regards...
Comment 6 User image Al Billings [:abillings] 2015-01-07 09:59:15 PST
The bounty committee meets once a week. We will consider this bug the next time we meet.
Comment 7 User image Hamza Bettache 2015-01-08 01:09:44 PST
Thank you
i'm waiting to hear from you
my regards....

Note You need to log in before you can comment on or make changes to this bug.