Closed
Bug 1365058
Opened 9 years ago
Closed 8 years ago
reflected xss on the site qsurvey.mozilla.com
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ignatio2007, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
how to reproduce:
1. to use a modern browser Firefox
2. navigate to url:
https://qsurvey.mozilla.com/s3/3057895/tlwpk"><script>alert(document.domain)</script>ktmkz?snc=1475857853_57f7cdbda18ed0.47098022&sg_navigate=start&sglocale=en
3. will be shown popup alert with name of domain
Flags: sec-bounty?
|
||
Comment 2•9 years ago
|
||
Tyler: The basic ask here is that vendor treat user input in the path as unsafe and either not incorporate it into the response or simply safely encode that echo'd content such that it doesn't translate into arbitrary HTML/Javascript injection. This could be broadened to doing this for all user input to prevent injection issues elsewhere.
We were unable to reproduce this one. Could you please provide more information about it?
|
|
||
Comment 4•8 years ago
|
||
Survey has been deleted. This is why it can't be reproduced.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Comment 5•8 years ago
|
||
claudijd to do additional validation.
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(jclaudius)
Resolution: FIXED → ---
|
|
||
Comment 6•8 years ago
|
||
I cannot replicate this issue on other surveys. I wonder if it's possible this was addressed in separate report, and the root cause fix was an overlap item.
Sergey: Could you please see if you can demonstrate this on a different survey? I have not been able to find a survey that responds with this behavior?
Flags: needinfo?(jclaudius) → needinfo?(ignatio2007)
This is working url:
qsurvey.mozilla.com/s3/fb6d51/i-100123'"><script>alert(1)</script>3405-382435/123
Flags: needinfo?(ignatio2007)
|
|
||
Comment 8•8 years ago
|
||
Sergey: thank you!
Ally: Please see commend 7 for working proof of concept. If possible, please include details about the solution to understand the root cause.
Flags: needinfo?(allysa.netzel)
|
|
||
Comment 9•8 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #8)
> Sergey: thank you!
>
> Ally: Please see commend 7 for working proof of concept. If possible,
> please include details about the solution to understand the root cause.
Correction: comment 7
|
|
||
Comment 11•8 years ago
|
||
It appears the survey is no longer accepting input.
Sergey: Could please confirm the fix on different survey URL? I just want to make sure we're getting to the actual root-cause fix here and we're not playing survey whack-a-mole with this issue.
Flags: needinfo?(ignatio2007)
|
|
||
Updated•8 years ago
|
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•7 years ago
|
Group: websites-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•