Closed
Bug 1334809
Opened 9 years ago
Closed 9 years ago
Detection of local files at https://testpilot.firefox.com
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: saurabh.banawar, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(1 file)
|
163.84 KB,
image/png
|
Details |
Firefox Test Pilot.png
1. Go to: https://testpilot.firefox.com
2. Attach a local proxy to the browser.
3. Click on Install the Test Pilot Add on
4. The HTTP Request goes to: https://testpilot.firefox.com/static/addon/addon.xpi
5. Intercept the response to this request.
6. Observe that server side module and file names are disclosed in the body of the response.
Mitigation:
In order to mitigate it, the source code for installation of the test pilot addon should be free from hard coding of these file names.
Flags: sec-bounty?
|
||
Comment 2•9 years ago
|
||
Please post the detail of the data being disclosed.
Removing sec flag as this isn't a security issue.
Group: websites-security
Flags: sec-bounty? → sec-bounty-
Sorry, the screenshot and POC were not attached earlier. I don't know why.
Anyways, I have just now attached a screenshot as a POC.
The following is a list of file disclosed which should actually not be disclose client side:
1. META-INF/manifest.mf
2. node_modules/seedrandom/test/lib/
3. node_modules/seedrandom/lib/
4. node_modules/mustache/wrappers/yui3/
5. node_modules/seedrandom/.travis.yml
6. node_modules/mustache/CHANGELOG.md
7. locale/ar.properties
|
|
||
Comment 5•9 years ago
|
||
This is the content of the XPI, which is a ZIP file that contains the source code of the add-on. It is expected those files will be disclosed client side for Firefox to load them.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•