Last Comment Bug 1116754 - is vulnerable to xss vulnerability.
: is vulnerable to xss vulnerability.
: sec-high
Classification: Other
Component: General (show other bugs)
: other
: x86 Windows 8.1
-- normal
: ---
Assigned To: Paul [:pmac] McLanahan
Depends on:
Blocks: 835434
  Show dependency treegraph
Reported: 2014-12-31 04:54 PST by Hamza Bettache
Modified: 2015-09-09 12:50 PDT (History)
5 users (show)
abillings: sec‑bounty+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

xss.jpg (321.40 KB, image/jpeg)
2014-12-31 04:54 PST, Hamza Bettache
no flags Details

Description User image Hamza Bettache 2014-12-31 04:54:36 PST
Created attachment 8542956 [details]



My name is Hamza Bettache and i'm a web app security researcher,as i was trying to download mozzila firefox

i've found that the newsletter's form is vulnerable to xss vulnerability (cross site scritping),the inputs country,lang and 

fmt are not sanitized (filtred),and the attacker can inject his javascript payload to make a successful xss attack 

Steps to reproduce the vulnerability:

1- go to and fill in the necessary informations,use a web proxy like BurpSuite 

to intercept the request.

-2 while intercpting the request we get the following post :

POST /fr/newsletter/ HTTP/1.1



we change one of three parameters we've talked above to our payload wich will be <svg/onload=alert("xss")>

so the request well as the following : 

POST /fr/newsletter/ HTTP/1.1



and we get a pop-up message wich confirms xss vulnerability :

link of a jpeg image:

here's a POC (proof of concept) :

i hope you'll fix it as soon as possible


Comment 1 User image Hamza Bettache 2015-01-02 08:30:53 PST Comment hidden (off-topic)
Comment 2 User image Al Billings [:abillings] 2015-01-02 09:12:33 PST
Please be patient and wait for developers to take a look at this issue. As I said in email, January 1st is a national holiday. This bug was also opened in the wrong product and component and unlikely to be seen there.
Comment 3 User image Paul [:pmac] McLanahan 2015-01-06 07:46:27 PST
The issue is with the AJAX-based form submission. The error messages returned can contain unsanitized user input and will thus result in the reported behavior.

I should have a fix in a PR shortly.

Thanks for the report!
Comment 4 User image Josh Mize [:jgmize] 2015-01-06 09:12:33 PST
This was fixed in which is now in production.
Comment 5 User image Hamza Bettache 2015-01-07 07:22:04 PST
thank you for your reply
it's good to have the bug fixed,
i'm wondring about my bounty ? 
thanks again
Comment 6 User image Al Billings [:abillings] 2015-01-07 09:59:15 PST
The bounty committee meets once a week. We will consider this bug the next time we meet.
Comment 7 User image Hamza Bettache 2015-01-08 01:09:44 PST
Thank you
i'm waiting to hear from you
my regards....

Note You need to log in before you can comment on or make changes to this bug.