XSS hole on store.mozilla.org

RESOLVED FIXED

Status

--
critical
RESOLVED FIXED
11 years ago
5 years ago

People

(Reporter: clouserw, Assigned: mike.bommarito)

Tracking

({wsec-xss})

Details

(URL)

(Reporter)

Description

11 years ago
Posted on a security forum here: http://sla.ckers.org/forum/read.php?3,44,15626#msg-15626

XSS is here (warning, several alerts()):
http://store.mozilla.org/product.php?code=mz1303223%22%3E%3Cscript%3Ealert(1)%3C/script%3E&catid=&offset=0

It looks like they emailed customer service at the store but customer service didn't understand the question.
Severity: major → critical
Mike, this needs to be fixed ASAP, please.

John, can you please follow-up with GatewayCDI to make sure this gets fixed and quickly?

Comment 2

11 years ago
Hi Mike. Like Reed said, we need to get this fixed as soon as possible. I'll check in with you tomorrow to see how things are coming.

Once this is fixed, it would be best if you guys could do a site audit to make sure there aren't other things that could be exploited.

Thanks,
John
Assignee: jslater → mike.bommarito
Let us know if we can help somehow.
(Assignee)

Comment 4

11 years ago
I have sanitized the data being passed and redirected on no product found.

Thanks,

Mike
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.