Closed Bug 1200007 Opened 9 years ago Closed 9 years ago

Cross-site scripting vulnerability via date range

Categories

(addons.mozilla.org Graveyard :: Statistics, defect)

Product:
addons.mozilla.org Graveyard
Component:
Statistics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: andy+bugzilla)

Details

(Keywords: sec-high, wsec-xss) 

Steps to reproduce:

1. If you used the statistics dashboard in this session already you might need to clear your cookies on AMO or log out and log in again.
2. Go to https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/statistics/?last=12%3Cimg%20src=%22dummy%22%20onerror=%22alert(%27xss%27)%22%3E
3. Now go to https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/statistics/ or some other add-on's statistics dashboard.

Steps 2 and 3 produce an alert message saying "xss" - once the problematic range is remembered for your session and will be reused until you switch to a different range manually, regardless of what link you use to get to the statistics dashboard. I suspect that the problematic code here is https://github.com/mozilla/olympia/blob/966195c76f7d8e40d842c3bf4d74301947f52cfa/static/js/impala/stats/controls.js#L70 - similarly to bug 1198957 the jQuery selector here is using untrusted data, meaning that it can be interpreted as HTML code.
Confirmed, and thank you Wladimir.
Whiteboard: [sec-high]
Group: addons-security
This should be fixed with the upgrade to jquery 1.9
Cannot confirm that. The link in comment 0 is still working, jQuery.fn.jquery returns "1.9.1". Not sure why but the upgrade didn't fix it.
Flags: sec-bounty?
Keywords: sec-high, wsec-xss
Whiteboard: [sec-high]
https://github.com/mozilla/olympia-security/pull/19/files
Assignee: nobody → amckay
Assigning to muffinresearch to remember it for the push.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Apparently, this is supposed to be fixed. However, the steps to reproduce from comment 0 are still working for me.
Actually, not reproducible on dev - I guess that I simply need to wait a bit longer.
Now it's no longer reproducible in production, can be marked as verified as far as I am concerned.
Flags: sec-bounty? → sec-bounty+
Product: addons.mozilla.org → addons.mozilla.org Graveyard
This should be public I think.
Flags: needinfo?(amuntner)
Group: addons-security, client-services-security
Flags: needinfo?(amuntner)
You need to log in before you can comment on or make changes to this bug.