Closed Bug 1285375 Opened 9 years ago Closed 9 years ago

flashmediaelement.swf XSS in qsurvey.mozilla.com

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: fredrik, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Please note that I have not verified this vulnerability. The domain qsurvey.mozilla.com have a CNAME pointer to privatedomain.sgizmo.com. This gives us some intel: only US-based Surveygizmo accounts should point to privatedomain.sgizmo.com, and the account's payment plan has to be a either professional or enterprise. By requesting http://qsurvey.mozilla.com/ a single redirect it made to http://www.surveygizmo.com/. This is a strong indication that you either had, or have an inactive account on Surveygizmo. If you don't have an account, then it should be possible for anyone to sign up as a customer, pay $65 for a professional plan, and start serve surveys in the context of qsurvey.mozilla.com. As Surveygizmo allows JavaScript to be embedded in surveys, persistent XSS should be trivial. The reason I have not validated my claims is because I'm not in the US, it's late, and there's a paywall. Here's some references: curl -I "http://qsurvey.mozilla.com/" HTTP/1.1 301 Moved Permanently Content-length: 0 Location: http://www.surveygizmo.com/ Connection: close https://help.surveygizmo.com/help/article/link/adding-javascript-to-your-survey
Flags: sec-bounty?
As a side note, by having the domain in this state makes you vulnerable up for unauthenticated Reflected XSS. This is due to Surveygizmo running an old version of WordPress that is vulnerable for CVE-2016-4567, which in turn affects you: https://qsurvey.mozilla.com/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alert%601%60
Confirmed the XSS risk in Chrome, didn't work in FireFox FWIW. Greg: Looks like we have (1) another XSS issue in Survery Gizmo, which we need to alert them about and (2) a potential domain takeover vulnerability based on Fredrik's claims. Could you also confirm whether we're still using them as a vendor? If not, we might be able to more quickly solve this by removing the DNS entries for this.
Flags: needinfo?(glind)
Keywords: sec-moderate, wsec-impersonation, wsec-xss
The domain is still owned and in active use, see for example this recent survey: https://qsurvey.mozilla.com/s3/cfr-feedback So I don't think there are any concerns about a domain takeover. That said, SurveyGizmo has had problems like this before, and they don't seem to be that concerned with information security. See bug 1199972 and others before it.
Changing the summary because the domain takeover part is a non-worry at this point.
Summary: Potential Domain Takeover @ qsurvey.mozilla.com → flashmediaelement.swf XSS in qsurvey.mozilla.com
Even though this is a Survey Gizmo bug, we're awarding a bug bounty as a thanks for making us and all their customers safer by reporting this. Jeff: do we have a policy about vendors who don't keep their software up to date?
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(jbryner)
Keywords: wsec-impersonation
Jason; do you know who owns the relationship with survey gizmo? We'd like to discuss web security with them to encourage them to up their game.
Flags: needinfo?(jbryner) → needinfo?(jbradford)
Jeff: it was my impression this was :glind based on prior bug history (currently NI'd)
Reached out to support@surveygizmo.com to report the XSS directly.
Support case #630715 has been opened with them.
Gregg Lind is who I have as the contact for SurveyGizmo.
Flags: needinfo?(jbradford)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Emailed Gregg and asked for a human point of contact at Surveygizmo to find someone I could to talk to directly there about our bugs.
I will do so! Sorry I missed previous NI on this!
Flags: needinfo?(glind)
(adding Tyler Downer who is doing a lot more SG point of contact work these days)
Flags: needinfo?(tdowner)
I e-mailed SG, with several of the people in this bug CC'd, asking for a permanent POC for sec issues.
Flags: needinfo?(tdowner)
SG says to use support@surveygizmo.com to contact. You should receive replies in 24 hours or less. I have a currently open thread that we can respond to at this time, please reply to that thread
Vendor addressed reported issue
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: websites-security
You need to log in before you can comment on or make changes to this bug.