All users were logged out of Bugzilla on October 13th, 2018
STR: 1: Visit https://sso.mozilla.com/signout.html?app=%3Cs%3E%3Cimg%20src=x%20onerror=alert%281%29%3Emeh 2: XSS Affected code: > var query_str = decodeURIComponent(getQuerystring('app')); > … > response += " of "+query_str+".</h2><br /><br />"+okta_msg; > … > document.write(response); Suggested patch: Add a line that removes everything from query_str that is not alphanumeric, i.e., > query_str.replace(/[^A-Za-z0-9]/gmi, "")
I don't think I wrote sso.mozilla.com, :jabba any thoughts?
The code is at https://github.com/mozilla/sso-mozilla-com . Webops team (cturra) wrote it. Not sure who has access to update it now that cturra is gone.
I've patched the code here: https://github.com/rtucker-mozilla/sso-mozilla-com/commit/74c7eb2a843538b4dcaa4c23027737ce8611c06f PR here: https://github.com/mozilla/sso-mozilla-com/pull/1 //cc Shyam to figure out how to deploy this thing
Rob, Not sure there's a dev/stage site, is this safe enough to deploy directly into prod? https://github.com/mozilla/sso-mozilla-com/pull/1/files
Should be safe to deploy. The main purpose of the site is simply to display a logout page to various SAML-enabled applications. Most of the sites other functionality is just a bunch of redirects in apache, independent of the code.
(In reply to Justin Dow [:jabba] from comment #5) > Should be safe to deploy. The main purpose of the site is simply to display > a logout page to various SAML-enabled applications. Most of the sites other > functionality is just a bunch of redirects in apache, independent of the > code. Ok, I'll do this tomorrow morning then.
Fix has been deployed, can someone please test and close it out? Thanks!
I looked at https://sso.mozilla.com/signout.html?app=%27goodfs%22%3E%3C which indeed strips out undesired characters.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Assignee: nobody → infra
status-firefox40: affected → ---
Component: SSO → Infrastructure: SSO
Product: Webtools → Infrastructure & Operations
Version: Trunk → unspecified
You need to log in before you can comment on or make changes to this bug.