Closed Bug 1247389 Opened 9 years ago Closed 9 years ago

XSS in qsurvey.mozilla.com

Categories

(Websites :: other.mozilla.org, defect)

Product:
Websites
Component:
other.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: shailesh4594, Unassigned)

Details

(Keywords: reporter-external, sec-low, wsec-xss)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160204142810 Steps to reproduce: 1. Open http://qsurvey.mozilla.com/s3/Developer-Audience-Survey-V2/?s=%22%20%20accesskey=%22x%22%20onclick=%22alert%28document.domain%29%22%3E%20PLEASE%20PRESS%20%22CTRL+ALT+X%22%20TO%20PRECEED 2. Press CTRL+ALT+X 3. Done Actual results: There is a XSS bug. Attacker can execute javascript in victim's browser. Expected results: Arguments should be filtered by XSS protection.
Shailesh - Thank you for your bug report! This bug is very similar to Bug #1199972 and Bug #1241169, which are pending. It's very possible it's due to the same core issue, but includes an additional parameter and requirement for user interaction beyond just clicking the link, which was not already mentioned. We already have a request into the vendor to improve their XSS handling of this code, if their fix addresses those bugs but doesn't address this bug, I'd consider this a non-duplicate. We can leave it open for now until that determination is made. Gregg - Please be aware that we have another variation of this issue here.
Assignee: ianb → nobody
Group: client-services-security → websites-security
Component: HTML → other.mozilla.org
Flags: needinfo?(glind)
Product: Web Apps → Websites
Flags: sec-bounty?
Gregg - This is a classic example to share with the vendor as to why their find/replace XSS mitigation strategy is insufficient. They strip out key values, but they don't prevent the confusion of code and data. The best strategy to combat this is to URL encode the user supplied data (as mentioned prior) so that it can't jump those boundaries.
The vendor recently deployed a more comprehensive XSS filter, which make this vector no longer viable. Click here to observe the new behavior: http://qsurvey.mozilla.com/s3/Developer-Audience-Survey-V2/?s=%22%20%20accesskey=%22x%22%20onclick=%22alert%28document.domain%29%22%3E%20PLEASE%20PRESS%20%22CTRL+ALT+X%22%20TO%20PRECEED
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(glind)
Resolution: --- → FIXED
Hello Jonathan, Is this submission eligible for bounty ? or it a dup ?
Shailesh - Not in this case, here are the reasons why... 1.) qsurvey.mozilla.org is not officially part of the bug bounty program 2.) The issue is overlapped with the pre-existing cases above, which were a result of a systemic failure in the vendors safe handling of user input that we were already aware of. Before your case was submitted, we had already been in contact with the vendor to obtain a more complete fix for this and upon completion of that work it also addressed this issue. 3.) The issue is XSS, but was rated sec-low given the impact and likelihood that a user would follow through with the additional requirements. The following page is helpful in determining what applications are officially part of the web bug bounty program to help focus your efforts on eligible sites in the future: https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/
Flags: sec-bounty?
Flags: sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.