Closed Bug 1237967 Opened 4 years ago Closed 4 years ago

XSS in Edit Review Functionality of AMO (rating POST parameter is vulnerable)

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: justashar, Assigned: scolville)

References

()

Details

(Keywords: sec-low, wsec-selfxss)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Steps to reproduce:

Hi,

I found an XSS in Edit Review Functionality in Mozilla Add-on site. If you're a logged-in user and had reviewed any add-on (this feature is available to all logged-in users), then your reviews can also be seen here:

https://addons.mozilla.org/en-US/firefox/user/usernamegoeshere/

Along with each review, one can see a Edit Review link. If you will click on Edit Review, the URL looks like ..

https://addons.mozilla.org/en-US/firefox/user/[username]/#review-edit-form

Fill the form with any values. The point of interest in this POST request when you will submit the edit review form after editing is "rating" parameter. 

You can change the "rating" parameter to any XSS vector e.g., '"><img src=x onerror=confirm(document.domain)>and it reflects back without encoding. 




Actual results:

It results in a JavaScript code execution. The screen-shot is also attached.


Expected results:

Output encoding at this time is missing. Though site is doing good when you change the rating parameter at the time of Add a new review (https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/reviews/add). At that time site properly encodes the output but you missed this at the time of Edit a Review.
Ashar -- is that Edit Review's page visible to users other than yourself? Are you able to get the reflect XSS when logged in as a separate user, or not logged in?
Flags: needinfo?(justashar)
No. It does not reflect for the other user. The exploitation for this case is hard given Self-XSS.
Flags: needinfo?(justashar)
Hi. No progress on this bug. I think it is because of low profile XSS or ...
Sorry about that, it's been a busy week.  :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low, wsec-xss
Summary: XSS in Edit Review Functionality of https://addons.mozilla.org (rating POST parameter is vulnerable) → XSS in Edit Review Functionality of AMO (rating POST parameter is vulnerable)
It was just a reminder and it seems it worked out :) Bug status has been changed :)
Stuart, whilst you are looking at CSP etc, could you take a quick look at this please? Its a self XSS so very low priority.
Assignee: nobody → scolville
Component: Add-on Security → Administration
Fix is committed - should be rolled out shortly. https://github.com/mozilla/addons-server/commit/29e7607aefc08c3b2e4f07c4e055b0c5575253b8
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Fix is on prod.
Good! Can you make it open? It is closed for public viewing.
Done!
Group: client-services-security
Keywords: wsec-xsswsec-selfxss
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.