257644 - XSS vulnerability on download page

Status: RESOLVED FIXED

(www.mozilla.org :: General, defect)

Description

[Jan Moesen]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040830 Firefox/0.9.3+
Build Identifier: 

The new download page doesn't escape the query string (or rather, unescapes it)
and gladly document.write()s everything to the page. You can include random HTML
and JavaScript.

The problem is in writeDownloadsPage() in
http://www.mozilla.org/products/firefox/download.js

  url = unescape(location.search);
  if (url.length > 1) {
    url = url.substr(1);
    if (url.indexOf('http://ftp.mozilla.org/pub/mozilla.org/') != 0)
      url = -1;
  } else
    url = -1;

One solution would be to not give the entire URL as the query string, but always
prepend 'http://ftp.mozilla.org/pub/mozilla.org/' and just write the escape
query string. That would also remove the need for the current prefix check.

I don't think this warrants the security flag, given that I already reported it
on the designer's weblog about a fortnight ago:
http://www.actsofvolition.com/archives/2004/august/newmozillaorg#reply21541

Reproducible: Always
Steps to Reproduce:

Comment 1

[Wolf [:wolf]]

Confirming and CC'ing a couple of people who might be able to fix this. 

Comment 2

[David Baron :dbaron: (⌚️UTC-5, no longer working on Mozilla)]

fixed, I think.  Please have a look.

Comment 3

[Jan Moesen]

Looks fixed to me.

The site did give a 500 error when I tried to view the CVS log using
/webtools/bonsai/cvslog.cgi, but that is either a temporary condition or
different bug.

Comment 4

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.