Closed
Bug 1200007
Opened 9 years ago
Closed 9 years ago
Cross-site scripting vulnerability via date range
Categories
(addons.mozilla.org Graveyard :: Statistics, defect)
addons.mozilla.org Graveyard
Statistics
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: andy+bugzilla)
Details
(Keywords: sec-high, wsec-xss)
Steps to reproduce: 1. If you used the statistics dashboard in this session already you might need to clear your cookies on AMO or log out and log in again. 2. Go to https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/statistics/?last=12%3Cimg%20src=%22dummy%22%20onerror=%22alert(%27xss%27)%22%3E 3. Now go to https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/statistics/ or some other add-on's statistics dashboard. Steps 2 and 3 produce an alert message saying "xss" - once the problematic range is remembered for your session and will be reused until you switch to a different range manually, regardless of what link you use to get to the statistics dashboard. I suspect that the problematic code here is https://github.com/mozilla/olympia/blob/966195c76f7d8e40d842c3bf4d74301947f52cfa/static/js/impala/stats/controls.js#L70 - similarly to bug 1198957 the jQuery selector here is using untrusted data, meaning that it can be interpreted as HTML code.
Updated•9 years ago
|
Group: addons-security
Comment 2•9 years ago
|
||
This should be fixed with the upgrade to jquery 1.9
Reporter | ||
Comment 3•9 years ago
|
||
Cannot confirm that. The link in comment 0 is still working, jQuery.fn.jquery returns "1.9.1". Not sure why but the upgrade didn't fix it.
Updated•9 years ago
|
Assignee | ||
Comment 4•9 years ago
|
||
https://github.com/mozilla/olympia-security/pull/19/files
Assignee: nobody → amckay
Assignee | ||
Comment 5•9 years ago
|
||
Assigning to muffinresearch to remember it for the push.
Assignee | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•9 years ago
|
||
Apparently, this is supposed to be fixed. However, the steps to reproduce from comment 0 are still working for me.
Reporter | ||
Comment 7•9 years ago
|
||
Actually, not reproducible on dev - I guess that I simply need to wait a bit longer.
Reporter | ||
Comment 8•9 years ago
|
||
Now it's no longer reproducible in production, can be marked as verified as far as I am concerned.
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Updated•8 years ago
|
Group: addons-security, client-services-security
Flags: needinfo?(amuntner)
You need to log in
before you can comment on or make changes to this bug.
Description
•