Issue The preferences page is vulnerable to stored XSS within the "name" and "irc nick" fields. In each case the user can enter arbitrary text that is returned within the HTTP response. This allows an attacker to enter a XSS attack that can steal a users sessionID, redirect the user to a malicious site, or be used in a phishing attack to compromise the user's Mozilla LDAP credentials. Steps to reproduce: 1. Login 2. Browse to preferences https://dm-sheriff01.mozilla.org/preferences 3. Enter the following for 'name' and 'irc nick' test"><script>alert(document.cookie)</script> 4. Observe popup boxes indicating the attacks have fired. Recommended Remediation Use html entity output encoding to safely display any data provided by the user. As a secondary control use input validation to define which character sets are permitted for these fields. For example a possible allowable character set could be the following [a-zA-Z0-9]. Note that input validation is not alone to resolve this issue. Output encoding must be used.
Fixed at a50f0f182f2a73aa135676e0074957aa0940ad0f: http://github.com/kourge/sheriff/commit/a50f0f182f2a73aa135676e0074957aa0940ad0f
Code changes look good. Tested in app and performing correctly.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
You need to log in before you can comment on or make changes to this bug.