Status

addons.mozilla.org Graveyard
Public Pages
--
critical
VERIFIED FIXED
7 years ago
24 days ago

People

(Reporter: Ervis Tusha, Unassigned)

Tracking

(Blocks: 1 bug, {sec-high, wsec-xss})

unspecified
sec-high, wsec-xss
Bug Flags:
sec-bounty +

Details

(URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier: 

https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/%22%20onmouseover=%22alert%281%29%22

Reproducible: Always

Steps to Reproduce:
1.https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/%22%20onmouseover=%22alert%281%29%22
2.
3.
(Reporter)

Comment 1

7 years ago
sorry mark this as security bug
Group: client-services-security
Component: General → Public Pages
Product: Core → addons.mozilla.org
QA Contact: general → web-ui
Confirmed this is firing. Simply follow the above link and move the mouse around the page.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → critical
OS: Linux → All
Hardware: x86 → All
This issue is being addressed.
(In reply to comment #3)
> This issue is being addressed.

It's actually fixed.  That page is an old PHP page that is still hanging around.  We expanded the limit on the rewrite (removed the $) to accept all URLs and send them to the new python code.  Thanks.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Verified the fix.
Front end caching may show the original attack to still fire for a bit. Simply changing any part of the url will bypass front end caching and then safely redirect away.

Example:
https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/" onmouseover="alert(12)"
Status: RESOLVED → VERIFIED
Verified the fix.
Front end caching may show the original attack to still fire for a bit. Simply changing any part of the url will bypass front end caching and then safely redirect away.

Example:
https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:22/sort:popular/" onmouseover="alert(12)"
(Reporter)

Comment 8

7 years ago
confirm bug is fixed :)
How did this bug get fixed? What are the specific commits that fixed it? Why is none of that information in this bug?
(In reply to comment #9)
> How did this bug get fixed? What are the specific commits that fixed it? Why is
> none of that information in this bug?

From initial read-through, it looks like that URL path was just swapped from remora over to zamboni (comment #4). Was that indeed the fix? Purely a server-side change?

Updated

4 years ago
Blocks: 835438
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Flags: sec-bounty+
Keywords: sec-high
(Assignee)

Updated

a year ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Group: client-services-security
You need to log in before you can comment on or make changes to this bug.