Detection of local files at https://testpilot.firefox.com

RESOLVED INVALID

Status

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: saurabh.banawar, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
1. Go to: https://testpilot.firefox.com
2. Attach a local proxy to the browser.
3. Click on Install the Test Pilot Add on
4. The HTTP Request goes to: https://testpilot.firefox.com/static/addon/addon.xpi
5. Intercept the response to this request.
6. Observe that server side module and file names are disclosed in the body of the response.

Mitigation:
In order to mitigate it, the source code for installation of the test pilot addon should be free from hard coding of these file names.
Flags: sec-bounty?
(Reporter)

Updated

2 years ago
Duplicate of this bug: 1334808
Please post the detail of the data being disclosed.
Removing sec flag as this isn't a security issue.
Group: websites-security
Flags: sec-bounty? → sec-bounty-
(Reporter)

Comment 3

2 years ago
Created attachment 8831443 [details]
Firefox Test Pilot.png
(Reporter)

Comment 4

2 years ago
Sorry, the screenshot and POC were not attached earlier. I don't know why.

Anyways, I have just now attached a screenshot as a POC. 

The following is a list of file disclosed which should actually not be disclose client side:
1. META-INF/manifest.mf
2. node_modules/seedrandom/test/lib/
3. node_modules/seedrandom/lib/
4. node_modules/mustache/wrappers/yui3/
5. node_modules/seedrandom/.travis.yml
6. node_modules/mustache/CHANGELOG.md
7. locale/ar.properties
This is the content of the XPI, which is a ZIP file that contains the source code of the add-on. It is expected those files will be disclosed client side for Firefox to load them.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

2 years ago
Sorry for the false positive.
You need to log in before you can comment on or make changes to this bug.