Closed Bug 1277857 Opened 8 years ago Closed 8 years ago

XSS on transvision.mozfr.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: claudijd, Assigned: pascalc)

References

Details

See Also: → 1277512
pierros: Including you on this bug because I have you as the community sec PoC.

pascal: Including you because I see you're active on the project and fixed previous XSS issues in this application (RE: https://github.com/mozfr/transvision/issues/676) and our work together on Bug #1277512.
Flags: needinfo?(pierros)
Flags: needinfo?(pascalc)
Clearing NI's, unable to reproduce the bug ATM.
Flags: needinfo?(pierros)
Flags: needinfo?(pascalc)
Status: NEW → UNCONFIRMED
Ever confirmed: false
Griffin: I have not been able to reproduce this bug.  Perhaps it was identified before the fixes for Bug #127751 were implemented?  If not, can you please include some more details about where the bug is. 

REQUEST

GET /?locale=fr&repo=release&recherche=Don%27t&jsonuy1ai%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Erebpy HTTP/1.1
Host: transvision.mozfr.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: _pk_id.8.557e=d40f91bdb24f5534.1464876823.2.1464884424.1464884418.
Connection: close
Upgrade-Insecure-Requests: 1

RESPONSE

HTTP/1.1 200 OK
Date: Fri, 03 Jun 2016 14:31:07 GMT
Server: Apache/2.4.10 (Debian)
Transvision-perf: Memory: 19922944 (19MB); Time: 0.1905s
Cache-Control: max-age=604800
Expires: Fri, 10 Jun 2016 14:31:07 GMT
Vary: Accept-Encoding
Content-Length: 514949
Connection: close
Content-Type: text/html; charset=UTF-8

...SNIP...
    <a href="/?locale=fr&repo=release&recherche=Don&amp;#39;t&jsonuy1ai&amp;#34;&amp;#62;&amp;#60;script&amp;#62;alert(1)&amp;#60;/script&amp;#62;rebpy=&json=true&locale=en-US&sourcelocale=fr">en-US</a> or
    <a href="/?locale=fr&repo=release&recherche=Don&amp;#39;t&jsonuy1ai&amp;#34;&amp;#62;&amp;#60;script&amp;#62;alert(1)&amp;#60;/script&amp;#62;rebpy=&json=true&locale=fr&sourcelocale=en-US">fr</a>.
...SNIP...
Flags: needinfo?(griffin.francis.1993)
Assignee: nobody → pascalc
I can't reproduce either
I am having issues reproducing this now also. It fired within my browser this morning once and also last night. Perhaps a caching issue? Odd.

We should be able to mark this as closed.
Flags: needinfo?(griffin.francis.1993)
Closing as we can't reproduce, thanks.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.