Possible stored(persistent) XSS Vulnerability in thimble.mozilla.org



2 years ago
2 years ago


(Reporter: ediskonstantini, Assigned: gideon)


({sec-high, wsec-xss})

sec-high, wsec-xss
Bug Flags:
sec-bounty -


(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)


(2 attachments)



2 years ago
Created attachment 8747560 [details]
In this attachment it shows clearly that the XSS would've worked on victims browser. all we need to is copy and make victim click on malicious published project url.

Hello Mozilla Security team

I'd like to let you know about a potential harmful Stored/persistent XSS Vulnerability in thimble.mozilla.org .This domain is used for publishing projects, so publishing harmful projects may result in compromising victims.
steps to re-produce the issue:

1)sign in to thimble.mozilla.org with a webmaker account
2)after it click on index.html 
3)now you are supposed to see the basic html code that shows : Welcome to Thimble Make something ... web
4) now on raw 14) edit the make something to a XSS Payload vector which I tested was: "><img src=a onerror=prompt(0);>
5)a XSS will fire after it reflects on the right side.
6)the domain that shows is mozillathimblelivepreview.net , I assume this is a sub-domain therefore it should be less critical/harmful. 
7)we can exploit this XSS by publishing the project and sending the malicious url to a victim.
8)in my case , the published url was https://thimbleprojects.org/testxss1/61221/

I tested it both on Mozilla Firefox(latest version) and Google Chrome, and it worked sucessfully.
I've attached 2 screenshots as proof of concept of this issue. 
If you are going to create a ticket in bugzilla, please assign me to there as well so I can contribute. I hope it will be eligible for a bounty as it is pretty risky!

Kind regards,
Edis Konstantini
Flags: sec-bounty?

Comment 1

2 years ago
Created attachment 8747561 [details]

This is the attachment showing as an sandbox domain, but after the vulnerable project is published it pop ups from thimbleprojects.org (which I doubt is sandbox domain).

Comment 2

2 years ago
Just reminding, 
OS: Windows 8.1 64bit 
Browsers:Mozilla Firefox version 45.0.2 and Google Chrome Version 49.0.2623.112 m 

If you have any problems in re-producing the vulnerability, just let me know.I'd be more than happy to assist you! Thanks!
Thanks for reporting, 

needinfo to myself to find site contact and handle bug today
Flags: needinfo?(amuntner)

Comment 4

2 years ago
Alright Adam, also For remediation/ possible fix I'd advise:

User input should be HTML-encoded at any point where it is copied into application responses. 
All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (&lt; &gt; etc).

Let me know if there's any other way to help to contribute of fixing this bug.


Comment 5

2 years ago
Hey Adam, 

I hope you are doing well. I did some research and found out that thimble.mozilla.org is coded by gideonthomas, I think he might be the responsible contact to handle the bug. https://github.com/mozilla/thimble.mozilla.org 

I hope that helps! Thank you in advance. I look forward to hearing from you soon.
Thanks ediskonstantini

Gideon, can you please take a look at this bug?
When there is a patch on github, please provide a link to the checkin. Let me know if you need help with the issue.
Ever confirmed: true
Flags: needinfo?(amuntner) → needinfo?(gideon)
Keywords: sec-high, wsec-xss
Assignee: nobody → gideon


2 years ago
Flags: needinfo?(gideon)
Thanks for filing the bug Edis!

This isn't a security issue though, because we actually allow Javascript in Thimble projects. The scripts are executed on separate domains than the Thimble app, preventing the theft of data stored there. 

You'll notice that The projects execute in "mozillathimblelivepreview.net" when editing and "thimbleprojects.org" when published, both which are used only for displaying projects, not for storing session or user data.

We definitely would love to know if you can execute scripts on the thimble.mozilla.org domain though, if you can find a bug like that, we would love to hear about it!
It should be noted that thimbleprojects.org is indeed a sandbox domain.

Comment 9

2 years ago
Hey Chris,

Yes, you are right. Though, i was thinking that thimbleprojects.org was indeed an actual domain(not sandbox) of mozilla. However, I've tried whether if I can execute xss on the thimble.mozilla.org but It was unsucessful.so, I guess there will be no fix-required on this issue? am I correct?, or you just gonna implement some kind of filter in order to prevent the xss firing in thimbleprojects.org ?

There will be no fix here, because allowing execution of scripts on thimbleprojects.org is a feature :)

Comment 11

2 years ago
Alright, thank you for responding to this issue anyway. Have a nice week-end :)!
And you too!
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
Minusing for security bounty as this is not an actual security issue.
Group: websites-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.