Status

mozilla.org
Video
RESOLVED DUPLICATE of bug 769755
3 years ago
11 months ago

People

(Reporter: Lalith Rallabhandi, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8543057 [details]
Mozilla XSS 1.png

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

Steps to reproduce:

Flash XSS in mozilla sub-domain .

URL : http://people.mozilla.org/~nhirata/html_tp/Good%20Old%20Fashioned%20Pancakes%20Recipe%20-%20Allrecipes.com_files/300x250_dad_pizza.swf?clickTag=Javascript:alert%28document.cookie%29;//

http://people.mozilla.org/~nhirata/html_tp/Good%20Old%20Fashioned%20Pancakes%20Recipe%20-%20Allrecipes.com_files/300x250_dad_pizza.swf?clickTag=Javascript:alert%28document.cookie%29;//

1. Open above URL in Mozilla .
2. It displays an ad . Now click on the ad which will redirect to a new tab .
3. 1st URL will display the domain where the XSS was triggered and second URL will display the cookies .



Actual results:

An XSS was triggered by execution of Javascript by setting the clickTag paramter in the flash . Clicking on the ad will redirect the user to respective site as per flash code . But it fails to filter external Javascript handler , thus resulting in execution of Javascript .


Expected results:

clickTag paramter should have filtered the special characters or filtering based on https or http protocols  . So that if any attacker provides malicious js that won't get accepted by the application .
(Reporter)

Comment 1

3 years ago
Please add sec-bounty flag ! 

Regards

Comment 2

3 years ago
Dupe of bug 780450? nhirata, what do you think?
Component: General → Video
Flags: needinfo?(nhirata.bugzilla)
Product: Core → mozilla.org
Summary: Flash XSS in mozilla → Flash XSS in http://people.mozilla.org/~nhirata/
Version: 34 Branch → other
Please see : https://bugzilla.mozilla.org/show_bug.cgi?id=780450#c4
  *.swf was removed from that directory.

To note, I do believe it is a similar if not duplicate bug.  Is there anything we can do to tighten the browser itself to help protect the user from malicious post parameter Javascript?
Flags: needinfo?(nhirata.bugzilla)
(Reporter)

Comment 4

3 years ago
Hey ,

Is this eligible for bounty ?
I found similar issues in people.mozilla.org at different places . So this does constitute some risk as there were cookies ,donot whether they are sensitive information or not ?

Comment 5

11 months ago
This is an old bug – looks like a duplicate of #769755, in which Daniel remarks "people.mozilla.org" is intended for testing purposes and not bounty eligible:

> people.mozilla.org is for mozillians to upload random test stuff. It is not a site covered by the web bounty, and since files are not uploaded through a web interface there's really no value to an XSS on that site -- there's no auth to compromise.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 769755
You need to log in before you can comment on or make changes to this bug.