Closed
Bug 612713
Opened 13 years ago
Closed 13 years ago
Reflected XSS in https://addons.mozilla.org/
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: ervistusha, Unassigned)
References
()
Details
(Keywords: sec-high, wsec-xss)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12 Build Identifier: https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/%22%20onmouseover=%22alert%281%29%22 Reproducible: Always Steps to Reproduce: 1.https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/%22%20onmouseover=%22alert%281%29%22 2. 3.
|
Reporter | |
Comment 1•13 years ago
|
||
sorry mark this as security bug
|
||
Updated•13 years ago
|
Group: client-services-security
Component: General → Public Pages
Product: Core → addons.mozilla.org
QA Contact: general → web-ui
|
|
||
Comment 2•13 years ago
|
||
Confirmed this is firing. Simply follow the above link and move the mouse around the page.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•13 years ago
|
Severity: normal → critical
OS: Linux → All
Hardware: x86 → All
|
|
||
Comment 3•13 years ago
|
||
This issue is being addressed.
|
||
Comment 4•13 years ago
|
||
(In reply to comment #3) > This issue is being addressed. It's actually fixed. That page is an old PHP page that is still hanging around. We expanded the limit on the rewrite (removed the $) to accept all URLs and send them to the new python code. Thanks.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 5•13 years ago
|
||
Verified the fix. Front end caching may show the original attack to still fire for a bit. Simply changing any part of the url will bypass front end caching and then safely redirect away. Example: https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/" onmouseover="alert(12)"
Status: RESOLVED → VERIFIED
|
|
||
Comment 6•13 years ago
|
||
Verified the fix. Front end caching may show the original attack to still fire for a bit. Simply changing any part of the url will bypass front end caching and then safely redirect away. Example: https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/" onmouseover="alert(12)"
|
|
Reporter | |
Comment 8•13 years ago
|
||
confirm bug is fixed :)
|
||
Comment 9•13 years ago
|
||
How did this bug get fixed? What are the specific commits that fixed it? Why is none of that information in this bug?
|
|
||
Comment 10•13 years ago
|
||
(In reply to comment #9) > How did this bug get fixed? What are the specific commits that fixed it? Why is > none of that information in this bug? From initial read-through, it looks like that URL path was just swapped from remora over to zamboni (comment #4). Was that indeed the fix? Purely a server-side change?
|
||
Comment 11•10 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Updated•10 years ago
|
Flags: sec-bounty+
|
Assignee | |
Updated•7 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
|
||
Updated•6 years ago
|
Group: client-services-security
You need to log in
before you can comment on or make changes to this bug.
Description
•