Closed Bug 598758 Opened 15 years ago Closed 15 years ago

403 Error Message Vulnerable to XSS

Categories

(Mozilla Labs Graveyard :: FlightDeck, defect)

Product:
Mozilla Labs Graveyard
Component:
FlightDeck
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mcoates, Unassigned)

References

Details

(Whiteboard: [infrasec:xss])

Issue The 403 error message is susceptible to XSS attacks. This issue only occurs when the 403 is returned to the page and rendered within the red error box (e.g. not a generic 403 straight to the browser). One such scenario that executes the vulnerable code is where the addon name contains an XSS value and an error occurs when deleting a module. In this scenario the following is returned within the 403 body: HTTP/1.1 403 FORBIDDEN Date: Wed, 22 Sep 2010 21:04:31 GMT Server: Apache/2.2.12 (Ubuntu) Vary: Cookie,Accept-Encoding Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 81 There is no such module in HelloW<script>alert(1)</script>orld../../other<hr>asdf Steps to reproduce 1. Rename an addon to contain an XSS attack HelloW<script>alert(1)</script>done 2. Add a module to the project 3. Enable a proxy and set to intercept 4. Start to delete a module and intercept the delete message. Modify the POST parameters to gibberish values, specifically "filename" 5. Observe the error message returns and the xss fires Recommended Resolution Use html entity output encoding for any data displayed within the error message.
Target Milestone: -- → 1.0
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified escaping used in code for the error responses and that the original test case is now safe.
Status: RESOLVED → VERIFIED
Group: webtools-security
Product: Mozilla Labs → Mozilla Labs Graveyard
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.