Stored Cross Site Scripting in Sheriff Preferences Screen

VERIFIED FIXED

Status

--
critical
VERIFIED FIXED
8 years ago
5 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

({wsec-xss})

Details

(Whiteboard: [infrasec:xss])

Issue

The preferences page is vulnerable to stored XSS within the "name" and "irc nick" fields.  In each case the user can enter arbitrary text that is returned within the HTTP response. This allows an attacker to enter a XSS attack that can steal a users sessionID, redirect the user to a malicious site, or be used in a phishing attack to compromise the user's Mozilla LDAP credentials.


Steps to reproduce:
1. Login
2. Browse to preferences
https://dm-sheriff01.mozilla.org/preferences
3. Enter the following for 'name' and 'irc nick'
test"><script>alert(document.cookie)</script>
4. Observe popup boxes indicating the attacks have fired.


Recommended Remediation

Use html entity output encoding to safely display any data provided by the user. 

As a secondary control use input validation to define which character sets are permitted for these fields.  For example a possible allowable character set could be the following [a-zA-Z0-9]. Note that input validation is not alone to resolve this issue. Output encoding must be used.

Updated

8 years ago
Depends on: 588574

Updated

8 years ago
No longer depends on: 588574
Code changes look good. Tested in app and performing correctly.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: websites-security
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.