Closed
Bug 1258774
Opened 9 years ago
Closed 9 years ago
pontoon Stored Cross-site Scripting
Categories
(Webtools Graveyard :: Pontoon, defect)
Webtools Graveyard
Pontoon
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Tazuwk, Assigned: jotes)
Details
(Keywords: reporter-external, sec-critical, wsec-xss)
Attachments
(1 file)
|
115.47 KB,
image/png
|
Details |
pontoon.png
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Steps to reproduce:
go to "https://pontoon.mozilla.org"
Login as a new User
go to "https://pontoon.mozilla.org/profile/"
in [what's your name ?] input type "<svg/onload=prompt("XSS)>"
go to "https://pontoon.mozilla.org/projects/"
Actual results:
XSS Pop-up appears
(Even to non-Authenticated users)
Expected results:
Filtering the inputs
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jot
|
||
Comment 1•9 years ago
|
||
Commits pushed to master at https://github.com/mozilla/pontoon
https://github.com/mozilla/pontoon/commit/83c97bb3c197052caca4ebc62773fb996877370d
Fix bug 1258774 Sanitize first_name during saving user profile.
https://github.com/mozilla/pontoon/commit/cecaf470a87b219fedadc985ef0fc272c90e9be8
Merge pull request #367 from jotes/bug_1258774_fix
Fix bug 1258774 Sanitize first_name.
|
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Comment 3•9 years ago
|
||
Muhammed, thank you so much for reporting this!
I don't know if https://pontoon.mozilla.org/ is part of the bug bounty program, so I'm NIing Al and Daniel who can help us figure it out.
Flags: needinfo?(jot)
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
|
||
Comment 4•9 years ago
|
||
putting it on the bounty nomination review list
Flags: sec-bounty?
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
|
|
||
Comment 5•9 years ago
|
||
Commits pushed to master at https://github.com/mozilla/pontoon
https://github.com/mozilla/pontoon/commit/1994ca599dd7231a8baf44b7d96143805d277a21
Fix bug 1258774. Added tests for the nospam template filter and the save-user-name view.
https://github.com/mozilla/pontoon/commit/221c3b50ff64ba0f87a8bb24acf913e675ca9202
Merge pull request #368 from jotes/bug_1258774_tests
Fix bug 1258774. Added tests for the nospam template filter and the s…
|
|
||
Comment 6•9 years ago
|
||
From what I see on the wiki, stored XSS qualifies as sec-critical:
https://wiki.mozilla.org/Security_Severity_Ratings
Keywords: sec-critical
|
Reporter | |
Comment 7•9 years ago
|
||
Are there any updates ?
|
||
Comment 8•9 years ago
|
||
Bug Bounty Committee: We aren't familiar with this site or what is. That affects the security rating.
Note: This site is not normally eligible for bounties as it isn't on the list in the FAQ.
|
|
Reporter | |
Comment 9•9 years ago
|
||
i can see "Additionally, Mozilla services that handle reasonably sensitive user data such as Sync and Hello are in scope for the bug bounty program."
https://pontoon.mozilla.org/ has a many user to get their data and it's also login through "https://login.persona.org/" API which is can be login through to the most of the Mozilla Apps .
|
|
||
Comment 10•9 years ago
|
||
Please send email to security@mozilla.org if you want to discuss this further.
If a site isn't explicitly on the list of sites covered in the bounty program, then we normally will not pay bounties for those sites unless the issue is exceptionally bad. Simply asserting that it should be covered does not change this, which is why we publish a list in the first place.
See https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs
We need more feedback from the developer about this site to understand the scope of the danger.
|
|
Reporter | |
Comment 11•9 years ago
|
||
I think it has extremely bad effect because all user will be affected with one single attack , the pop ip appears to all registered users in this site
I think you should see the poc or try the bug
|
|
Reporter | |
Comment 12•9 years ago
|
||
Pop up*^
|
|
||
Comment 13•9 years ago
|
||
Pontoon is an internal localization tool, used by most Mozilla localization teams. Currently, there are 852 registered users.
Let me know if you need any other info about the site.
Flags: needinfo?(m)
|
|
Reporter | |
Comment 14•9 years ago
|
||
I think mathjazz Strengthen my point of view
|
|
Reporter | |
Comment 15•9 years ago
|
||
Are there any updates ?!
Flags: needinfo?(m)
Flags: needinfo?(abillings)
|
|
||
Comment 17•9 years ago
|
||
Any updates on fixes will appear in this bug. If there are no comments, there are no updates.
We are waiting on Adam Muntner to determine the security rating of this issue before a final decision is made about whether it is eligible for a bounty. As previously stated, this site is not normally on the list of eligible sites.
Flags: needinfo?(abillings)
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical,
wsec-xss
|
|
Reporter | |
Comment 18•9 years ago
|
||
Hello ,
i am sorry for that , but i am not seeing my name in Mozilla Hall of fame first quarter
https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
if it's ok , i would like to be added as "Muhammed Gamal Fahmy"
Thanks :)
|
|
||
Updated•4 years ago
|
Flags: needinfo?(amuntner)
|
||
Updated•4 years ago
|
Product: Webtools → Webtools Graveyard
|
||
Updated•10 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•