XSS in support.mozilla.org

RESOLVED FIXED

Status

support.mozilla.org
General
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Cameron Dawe, Assigned: mythmon)

Tracking

({sec-high, wsec-xss})

unspecified
sec-high, wsec-xss
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:25.7) Gecko/20151012 Firefox/31.9 PaleMoon/25.7.3
Build ID: 20151012153601

Steps to reproduce:

Visit Here - https://support.mozilla.org/en-US/

In the search bar put the following - "><svg/onload=prompt(/XSSPOSED/)>

Executes the code


Actual results:

Screenshot of POC - https://i.gyazo.com/33772b16b391c7f766414fcd859cc24a.png


Expected results:

Should not have executed the JavaScript.
cc:ing Mike since he runs sumo.

Updated

2 years ago
Assignee: nobody → mcooper
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: sec-high, wsec-xss
Duplicate of this bug: 1224850
(Assignee)

Comment 3

2 years ago
PR: https://github.com/mozilla/kitsune/pull/2723
Deployed to prod.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

2 years ago
Glad to see it's fixed, great work all involved!

Was this worthy of credit and/or bug bounty?
Please email security@mozilla.org if you would like this bug to be considered for a Bounty. More info at: https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#what-next
Flags: sec-bounty?
Mike: this bug and the dupe both manually entered the payload into the search field, which SUMO magically whisks off and process. As an attack this is less interesting than a search that can be forced on a victim through a GET, like https://support.mozilla.org/en-US/search?q=blahblah&w=3&qs=plugin

The page I get from that is slightly different, but would that have also been susceptible to this attack?
Flags: needinfo?(mcooper)
(Assignee)

Comment 7

2 years ago
Daniel: the search that can be accessed directly from the url like that is different, and wasn't vulnerable to this XSS.

Specifically, the problem was in Nunjucks templates used on the client side that lacked proper escaping. On the other hand, the /en-US/search?q=... page is rendered server side with a different set of templates rendered with Jinja2.
Flags: needinfo?(mcooper)
This issue is a self-XSS then and is not eligible for the bounty because other users are not vulnerable.
Flags: sec-bounty? → sec-bounty-
(Assignee)

Updated

2 years ago
Duplicate of this bug: 1238593
Duplicate of this bug: 1247292
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.