Output encoding error, would be XSS if content type of response were to change.

RESOLVED DUPLICATE of bug 1223970

Status

support.mozilla.org
Code Quality
RESOLVED DUPLICATE of bug 1223970
2 years ago
2 years ago

People

(Reporter: adamm, Unassigned)

Tracking

({sec-moderate, wsec-xss})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

If the content-type were text/html, this would be XSS. Couldn't find a way to get it reflected into a page but that doesn't mean there isn't a way. 

safe html encoded output should be used for user input to q parameter

Marking as moderate because it's not provably exploitable but I'd like to see it fixed anyway. 

https://support.mozilla.org/en-US/search/suggestions?q={searchTerms56242<script>alert(1)<%2fscript>360ed

GET /en-US/search/suggestions?q={searchTerms56242<script>alert(1)<%2fscript>360ed HTTP/1.1
Host: support.mozilla.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close


HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: support2.webapp.phx1.mozilla.com
Vary: X-Mobile,User-Agent
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-suggestions+json      <-------
(snip)

["{searchTerms56242<script>alert(1)</script>360ed", ["JavaScript settings and preferences for interactive web pages", "Warning Unresponsive script - What it means and how to fix it", (snip)
(Reporter)

Comment 1

2 years ago
Closing, duplicate of bug 1223970, issue is safe artifact of template engine
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1223970
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.