If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

XSS vulnerability in SUMO login

VERIFIED FIXED in 0.6.1

Status

support.mozilla.org
General
--
major
VERIFIED FIXED
10 years ago
2 years ago

People

(Reporter: bsterne, Assigned: laura)

Tracking

({wsec-xss})

unspecified
0.6.1
wsec-xss

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: tiki_test, URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
The SUMO login form unsafely uses the "user" URL parameter to populate the username field.  It could be used for XSS or website defacement.  Example attack URL:

http://support.mozilla.com/tiki-login_scr.php?user=<a+href="javascript:alert(document.cookie)">Click+Me</a>
(Assignee)

Updated

9 years ago
Target Milestone: --- → 0.6.1
(Assignee)

Updated

9 years ago
Assignee: nobody → laura
It's been over two months. What's the status of fixing this? XSS vulns can be just as bad as any other type of vuln.

Comment 2

9 years ago
It's targeted to the 0.6.1 milestone, so next week.

Comment 3

9 years ago
Created attachment 330969 [details] [diff] [review]
Patch to escape user parameter correctly.
(Assignee)

Updated

9 years ago
Attachment #330969 - Flags: review+
(Assignee)

Comment 4

9 years ago
In trunk r17338, production branch r17342.  Thanks Jacob.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Keywords: push-needed
Resolution: --- → FIXED
Group: webtools-security → websites-security
Group: websites-security
Group: websites-security
Verified FIXED; I now get:

"Log in
Username:
<a href="ja<x>vascript:al<x>ert(document.cookie)">Click Me</a>
Password:"
Status: RESOLVED → VERIFIED

Updated

8 years ago
Keywords: push-needed
Whiteboard: tiki_triage

Updated

8 years ago
Whiteboard: tiki_triage → tiki_test
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.