Escaping Needed to Prevent Reflected XSS via cmd_cli search

RESOLVED INCOMPLETE

Status

Skywriter
Embedded
--
major
RESOLVED INCOMPLETE
8 years ago
8 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

unspecified

Details

(Whiteboard: [infrasec:xss])

Issue

A reflected cross site scripting vulnerability is present within the command line interface portion of the flightdeck website.  Aside from an attacker convincing a user to copy and paste a specific string into the input (which sadly could work), it is not clear how an attacker would realistically exploit this vulnerability. However, the issue should still be addressed none-the-less.

Steps to reproduce
1. View the source of any add-on
2. Enter the following into the command line text box at the bottom of the screen:
<hr><script>alert(document.cookie)</script>
3. Observe the "no matches for" window appears and the script fires the alert box


Recommended Resolution

Configure the error box to safely output encode the user supplied data so that html is displayed literally instead of being interpreted by the browser.
Target Milestone: -- → 1.0
This might be a bespin issue
Target Milestone: 1.0 → 0.6
Assignee: nobody → zaloon

Updated

8 years ago
Assignee: zaloon → nobody
Group: webtools-security
Component: FlightDeck → Embedded
Product: Mozilla Labs → Skywriter
QA Contact: flightdeck → embedded
Target Milestone: 0.6 → 1.0
This seems like an exploit that would rely on a full breach or direct user interaction to produce the effect described. Being that a full breach would lead to more direct attacks and other more sever attacks, I am inclined to wave this for the next release as Bespin will be merging with Cloud9 and this should no longer be and issue.

If a developer would do this "convincing a user to copy and paste a specific string into the input" then Firebug's own command line would then technically be a vulnerable interface. This is something I am willing to live with for now.

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Yes, this would most likely rely on either direct user interaction or a clickjacking style attack where the user is entering text but its confusing where the data is going.

You marked this as resolved fixed. Did you decide to fix it?  If not, then I'd like it to remain open and be assigned to a future target milestone.
This is really a function of Bespin, and given the narrow vector of attack I marked it Fixed. I will reopen it as Incomplete, and close it when Skywriter merges with Cloud9's editor (which will "fix it" in the process).
Resolution: FIXED → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.