1. Go to: https://testpilot.firefox.com 2. Attach a local proxy to the browser. 3. Click on Install the Test Pilot Add on 4. The HTTP Request goes to: https://testpilot.firefox.com/static/addon/addon.xpi 5. Intercept the response to this request. 6. Observe that server side module and file names are disclosed in the body of the response. Mitigation: In order to mitigate it, the source code for installation of the test pilot addon should be free from hard coding of these file names.
Please post the detail of the data being disclosed. Removing sec flag as this isn't a security issue.
Flags: sec-bounty? → sec-bounty-
Sorry, the screenshot and POC were not attached earlier. I don't know why. Anyways, I have just now attached a screenshot as a POC. The following is a list of file disclosed which should actually not be disclose client side: 1. META-INF/manifest.mf 2. node_modules/seedrandom/test/lib/ 3. node_modules/seedrandom/lib/ 4. node_modules/mustache/wrappers/yui3/ 5. node_modules/seedrandom/.travis.yml 6. node_modules/mustache/CHANGELOG.md 7. locale/ar.properties
This is the content of the XPI, which is a ZIP file that contains the source code of the add-on. It is expected those files will be disclosed client side for Firefox to load them.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
Sorry for the false positive.
You need to log in before you can comment on or make changes to this bug.