Invalid Locale Codes Should Result in Error Page

VERIFIED FIXED

Status

Websites
plugins.mozilla.org
--
major
VERIFIED FIXED
8 years ago
6 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:input], URL)

Issue

The plugin URL contains a locale code such as 'en-us' as seen in the following example:
https://plugins.mozilla.org/en-us/plugins/detail/gnome-totem

An attacker can modify this value to arbitrary text and the plugins web application will still render the requested page as normal. An attacker could use a convincing message in order to entice users to install particular software.

Example:
https://plugins.mozilla.org/ApprovedByMozilla/plugins/detail/gnome-totem



Recommended Remediation

Check if the locale code is a valid value and redirect to an error page if any other values are received.
r71440 should address this on staging shortly
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Group: websites-security
You need to log in before you can comment on or make changes to this bug.