Verified the contents of crossdomain.xml's... https://partners.mozilla.org/crossdomain.xml <cross-domain-policy><allow-access-from domain="*" to-ports="80,443,8100,8080"/><allow-http-request-headers-from domain="*" headers="SOAPAction,Authorization"/></cross-domain-policy> https://events.mozilla.org/crossdomain.xml <cross-domain-policy><allow-access-from domain="*" to-ports="80,443,8100,8080"/><allow-http-request-headers-from domain="*" headers="SOAPAction,Authorization"/></cross-domain-policy>
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low, wsec-crossdomain
Hi, I noticed you designated this as sec-low, which surprised me a bit. However, I don't really know the affected domains and their userbase, but just to make sure that we're on the same page here: Would an XSS/CSRF vulnerability on the authenticated zone of these domains also been designated as sec-low? The impact from this vulnerability is very similar: Confidentiality (sensitive data theft, e.g. via XSS) and Integrity (CSRF bypass, e.g. via CSRF token theft) are both compromised completely. Cheers, Arne https://www.arneswinnen.net PS: Here's another good reference on the crossdomain.xml subject, of the author of the SWF POC tool himself: https://thehackerblog.com/crossdomain-xml-proof-of-concept-tool/index.html
I'm looking into what is exactly on these sites, if it turns out to be more critical than at first glance I'll up the rating.
Spoke to liz via IRC, she said Ty is the new admin for these.
Ty: can you have a peek at this issue? I don't have credentials on this site, so it's hard to understand impact for context.
Caught up with Ty on IRC to understand the context better... partners.mozilla.org - Site is externally hosted with a vendor NetX, used for images/artwork delivery for partners - We believe the site is mostly inactive at this time - Ty is double checking to make sure before we request the DNS be pulled - Auth is local auth only (so we don't expect any pivoting risk here if a cred was snagged) events.mozilla.org - Site is externally hosted with a vendor NetX, used for images/artwork delivery - It's possible it's inactive, but that is less clear than partners - Ty is double checking to see if we can just decom it - Auth is anonymous by default Now knowing the above, I think the severity level of sec-low is still appropriate.
Fully agreed - I didn't have any context, was hoping for a real juicy partner portal, full of PII and financial data of course :-). Thanks for investigating, much appreciated. Arne
Arne: thanks for all the submission, anytime we can identify a site that exists that is no longer being used, it's a big win (one less thing to secure). Appreciated!
Ty is having some auth issues right now, but asked me to make note that he's reached out to the vendor and asked them to remove the crossdomain.xml references.
Assignee: nobody → tflanagan
Status: NEW → ASSIGNED
I'm marking this as sec-bounty-, due to a combination of its low impact, being a 3rd party site and not on our bug bounty list. Nevertheless, thank you for reporting this to us, as always. We really appreciate it, Arne!
Flags: sec-bounty? → sec-bounty-
It appears that, at least at some point after this was filed, they removed these files.
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.