Created attachment 8747560 [details] In this attachment it shows clearly that the XSS would've worked on victims browser. all we need to is copy and make victim click on malicious published project url. Hello Mozilla Security team I'd like to let you know about a potential harmful Stored/persistent XSS Vulnerability in thimble.mozilla.org .This domain is used for publishing projects, so publishing harmful projects may result in compromising victims. steps to re-produce the issue: 1)sign in to thimble.mozilla.org with a webmaker account 2)after it click on index.html 3)now you are supposed to see the basic html code that shows : Welcome to Thimble Make something ... web 4) now on raw 14) edit the make something to a XSS Payload vector which I tested was: "><img src=a onerror=prompt(0);> 5)a XSS will fire after it reflects on the right side. 6)the domain that shows is mozillathimblelivepreview.net , I assume this is a sub-domain therefore it should be less critical/harmful. 7)we can exploit this XSS by publishing the project and sending the malicious url to a victim. 8)in my case , the published url was https://thimbleprojects.org/testxss1/61221/ I tested it both on Mozilla Firefox(latest version) and Google Chrome, and it worked sucessfully. I've attached 2 screenshots as proof of concept of this issue. If you are going to create a ticket in bugzilla, please assign me to there as well so I can contribute. I hope it will be eligible for a bounty as it is pretty risky! Kind regards, Edis Konstantini
Created attachment 8747561 [details] XSSvulnThimble1.jpg This is the attachment showing as an sandbox domain, but after the vulnerable project is published it pop ups from thimbleprojects.org (which I doubt is sandbox domain).
Just reminding, OS: Windows 8.1 64bit Browsers:Mozilla Firefox version 45.0.2 and Google Chrome Version 49.0.2623.112 m If you have any problems in re-producing the vulnerability, just let me know.I'd be more than happy to assist you! Thanks!
Thanks for reporting, needinfo to myself to find site contact and handle bug today
Alright Adam, also For remediation/ possible fix I'd advise: User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). Let me know if there's any other way to help to contribute of fixing this bug. Thanks! Edis
Hey Adam, I hope you are doing well. I did some research and found out that thimble.mozilla.org is coded by gideonthomas, I think he might be the responsible contact to handle the bug. https://github.com/mozilla/thimble.mozilla.org https://github.com/gideonthomas I hope that helps! Thank you in advance. I look forward to hearing from you soon.
Thanks ediskonstantini Gideon, can you please take a look at this bug? When there is a patch on github, please provide a link to the checkin. Let me know if you need help with the issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(amuntner) → needinfo?(gideon)
Keywords: sec-high, wsec-xss
It should be noted that thimbleprojects.org is indeed a sandbox domain.
Hey Chris, Yes, you are right. Though, i was thinking that thimbleprojects.org was indeed an actual domain(not sandbox) of mozilla. However, I've tried whether if I can execute xss on the thimble.mozilla.org but It was unsucessful.so, I guess there will be no fix-required on this issue? am I correct?, or you just gonna implement some kind of filter in order to prevent the xss firing in thimbleprojects.org ? Thanks!
There will be no fix here, because allowing execution of scripts on thimbleprojects.org is a feature :)
Alright, thank you for responding to this issue anyway. Have a nice week-end :)!
And you too!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
Minusing for security bounty as this is not an actual security issue.
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.