pontoon Stored Cross-site Scripting

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: Tazuwk, Assigned: jotes, NeedInfo)

Tracking

(Blocks: 2 bugs, {sec-critical, wsec-xss})

Trunk
sec-critical, wsec-xss
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8733468 [details]
pontoon.png

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce:

go to "https://pontoon.mozilla.org"
Login as a new User 
go to "https://pontoon.mozilla.org/profile/"
in [what's your name ?] input type "<svg/onload=prompt("XSS)>"
go to "https://pontoon.mozilla.org/projects/"


Actual results:

XSS Pop-up appears 
(Even to non-Authenticated users)


Expected results:

Filtering the inputs
(Assignee)

Updated

3 years ago
Assignee: nobody → jot

Comment 1

3 years ago
Commits pushed to master at https://github.com/mozilla/pontoon

https://github.com/mozilla/pontoon/commit/83c97bb3c197052caca4ebc62773fb996877370d
Fix bug 1258774 Sanitize first_name during saving user profile.

https://github.com/mozilla/pontoon/commit/cecaf470a87b219fedadc985ef0fc272c90e9be8
Merge pull request #367 from jotes/bug_1258774_fix

Fix bug 1258774 Sanitize first_name.

Updated

3 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 2

3 years ago
That means it qualifies for a bounty ?
Flags: needinfo?(jot)
Muhammed, thank you so much for reporting this!

I don't know if https://pontoon.mozilla.org/ is part of the bug bounty program, so I'm NIing Al and Daniel who can help us figure it out.
Flags: needinfo?(jot)
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)

Comment 4

3 years ago
putting it on the bounty nomination review list
Flags: sec-bounty?
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)

Comment 5

3 years ago
Commits pushed to master at https://github.com/mozilla/pontoon

https://github.com/mozilla/pontoon/commit/1994ca599dd7231a8baf44b7d96143805d277a21
Fix bug 1258774. Added tests for the nospam template filter and the save-user-name view.

https://github.com/mozilla/pontoon/commit/221c3b50ff64ba0f87a8bb24acf913e675ca9202
Merge pull request #368 from jotes/bug_1258774_tests

Fix bug 1258774. Added tests for the nospam template filter and the s…
From what I see on the wiki, stored XSS qualifies as sec-critical:
https://wiki.mozilla.org/Security_Severity_Ratings
Keywords: sec-critical
(Reporter)

Comment 7

3 years ago
Are there any updates ?
Bug Bounty Committee: We aren't familiar with this site or what is. That affects the security rating.

Note: This site is not normally eligible for bounties as it isn't on the list in the FAQ.
Flags: needinfo?(m)
Flags: needinfo?(amuntner)
Keywords: sec-critical
(Reporter)

Comment 9

3 years ago
i can see "Additionally, Mozilla services that handle reasonably sensitive user data such as Sync and Hello are in scope for the bug bounty program."
https://pontoon.mozilla.org/ has a many user to get their data and it's also login through "https://login.persona.org/" API which is can be login through to the most of the Mozilla Apps .
Please send email to security@mozilla.org if you want to discuss this further.

If a site isn't explicitly on the list of sites covered in the bounty program, then we normally will not pay bounties for those sites unless the issue is exceptionally bad. Simply asserting that it should be covered does not change this, which is why we publish a list in the first place.

See https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs

We need more feedback from the developer about this site to understand the scope of the danger.
(Reporter)

Comment 11

3 years ago
I think it has extremely bad effect because all user will be affected with one single attack , the pop ip appears to all registered users in this site 
I think you should see the poc or try the bug
(Reporter)

Comment 12

3 years ago
Pop up*^
Pontoon is an internal localization tool, used by most Mozilla localization teams. Currently, there are 852 registered users.

Let me know if you need any other info about the site.
Flags: needinfo?(m)
(Reporter)

Comment 14

3 years ago
I think mathjazz Strengthen my point of view
(Reporter)

Comment 15

3 years ago
Are there any updates ?!
Flags: needinfo?(m)
Flags: needinfo?(abillings)
Muhammed, please follow the advice from Comment 10.
Flags: needinfo?(m)
Any updates on fixes will appear in this bug. If there are no comments, there are no updates.

We are waiting on Adam Muntner to determine the security rating of this issue before a final decision is made about whether it is eligible for a bounty. As previously stated, this site is not normally on the list of eligible sites.
Flags: needinfo?(abillings)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical, wsec-xss
Blocks: 1261893
(Reporter)

Comment 18

2 years ago
Hello ,

i am sorry for that , but i am not seeing my name in Mozilla Hall of fame first quarter 
https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
if it's ok , i would like to be added as "Muhammed Gamal Fahmy"

Thanks :)
Blocks: 1338247
You need to log in before you can comment on or make changes to this bug.