Closed
Bug 1223970
Opened 9 years ago
Closed 9 years ago
XSS in support.mozilla.org
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: admin, Assigned: mythmon)
References
Details
(Keywords: sec-high, wsec-xss)
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:25.7) Gecko/20151012 Firefox/31.9 PaleMoon/25.7.3 Build ID: 20151012153601 Steps to reproduce: Visit Here - https://support.mozilla.org/en-US/ In the search bar put the following - "><svg/onload=prompt(/XSSPOSED/)> Executes the code Actual results: Screenshot of POC - https://i.gyazo.com/33772b16b391c7f766414fcd859cc24a.png Expected results: Should not have executed the JavaScript.
Comment 1•9 years ago
|
||
cc:ing Mike since he runs sumo.
Updated•9 years ago
|
Assignee | ||
Comment 3•9 years ago
|
||
PR: https://github.com/mozilla/kitsune/pull/2723 Deployed to prod.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•9 years ago
|
||
Glad to see it's fixed, great work all involved! Was this worthy of credit and/or bug bounty?
Comment 5•9 years ago
|
||
Please email security@mozilla.org if you would like this bug to be considered for a Bounty. More info at: https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#what-next
Updated•9 years ago
|
Flags: sec-bounty?
Comment 6•9 years ago
|
||
Mike: this bug and the dupe both manually entered the payload into the search field, which SUMO magically whisks off and process. As an attack this is less interesting than a search that can be forced on a victim through a GET, like https://support.mozilla.org/en-US/search?q=blahblah&w=3&qs=plugin The page I get from that is slightly different, but would that have also been susceptible to this attack?
Flags: needinfo?(mcooper)
Assignee | ||
Comment 7•9 years ago
|
||
Daniel: the search that can be accessed directly from the url like that is different, and wasn't vulnerable to this XSS. Specifically, the problem was in Nunjucks templates used on the client side that lacked proper escaping. On the other hand, the /en-US/search?q=... page is rendered server side with a different set of templates rendered with Jinja2.
Flags: needinfo?(mcooper)
Comment 8•9 years ago
|
||
This issue is a self-XSS then and is not eligible for the bounty because other users are not vulnerable.
Flags: sec-bounty? → sec-bounty-
Comment 11•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•