Closed
Bug 1264172
Opened 9 years ago
Closed 9 years ago
https://crash-stats.mozilla.com Reflected XSS via SuperSearch API
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1263421
People
(Reporter: seantmelia, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-high, wsec-xss, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
|
601.21 KB,
image/png
|
Details |
XSS Prompt Box PoC
The crash-stats.mozilla.com subdomain is vulnerable to reflected cross-site scripting via the date parameter with the following payload: <script>prompt(document.domain)</script>
1. Visit https://crash-stats.mozilla.com/api/SuperSearch/?product=Firefox&version=46.0b10&date=%3E%3d2016-04-05%3Cscript%3Eprompt%28document.domain%29%3C/script%3E&date=%3C2016-04-13&_histogram.date=version&_results_number=0
Flags: sec-bounty?
|
||
Comment 1•9 years ago
|
||
Thanks for your report Sean.
I don't see the response rendering in an executable context in the browser, just an error:
{"error": "Bad value for parameter date: \"2016-04-05<script>prompt(document.domain)</script>\" is not a valid datetime"}
Are you seeing something more than this?
Flags: needinfo?(amuntner)
|
Reporter | |
Comment 2•9 years ago
|
||
Looks like this was fixed silently. Content type in the response changed from html to json...
|
|
||
Comment 3•9 years ago
|
||
Sean,
Thanks again for the report.
I checked the repo on Github, discussion about the change is here: https://github.com/mozilla/socorro/pull/3287
I checked page accesses, the developer didn't visit the bug.
Keep an eye on the FAQ page, I made a pull req today to update the eligible host list for the bounty program. Once the site maintainers approve it, it'll be up. https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → FIXED
|
|
Reporter | |
Comment 4•9 years ago
|
||
I'm a little confused by this. Just because the developer didn't visit the page doesn't mean he wasn't given this information. He could have seen the logs on the server and noticed this issue. He pushed out a fix the day after I reported this bug. Is this eligible for a bounty or no?
|
||
Comment 5•9 years ago
|
||
Sean/Adam: The bug was fixed during a big overhaul that was sparked while fixing another XSS in the same app reported a couple days before. See Bug #1263421 for details on that. This should help explain the concerns above, just very close timing on the submissions (~3 days apart). The PR adam mentions above was the final PR of two attempts to fix this, original PR was this (https://github.com/mozilla/socorro/pull/3286).
Resolution: FIXED → DUPLICATE
|
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
Flags: needinfo?(amuntner)
|
|
Reporter | |
Comment 6•9 years ago
|
||
Okay thanks for the clarification.
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•