persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=

RESOLVED FIXED

Status

Websites
other.mozilla.org
RESOLVED FIXED
8 years ago
a year ago

People

(Reporter: David, Assigned: Alexandru Szasz)

Tracking

({sec-critical, wsec-xss})

unspecified
sec-critical, wsec-xss
Dependency tree / graph
Bug Flags:
sec-bounty +

Details

(Whiteboard: [infrasec:xss][ws:critical], URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101210 4
Build Identifier: 

persistent xss via the username field at  https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=



Reproducible: Always

Steps to Reproduce:
persistent xss via the username field at  https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=


Actual Results:  
persistent xss via the username field at  https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=



Expected Results:  
don't get xssed!
(Reporter)

Comment 1

8 years ago
https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=791 --> (e.g.) --> username was  username:<!--<img src="--><img src=x onerror=alert(1)//">
Assignee: nobody → alexxed
Component: www.mozilla.org → other.mozilla.org
OS: Linux → All
QA Contact: www-mozilla-org → other-mozilla-org
Hardware: x86_64 → All
Confirmed stored xss at example https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=792
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:xss][ws:critical]
(Reporter)

Comment 5

8 years ago
I filed this upstream at --> http://code.google.com/p/narro/issues/detail?id=170
If narro is more than an experimental tool it needs to live on its own server (narro.mozilla.org?) so it's not vulnerable to problems with the rest of l10n.mozilla.org, and vice versa.

Comment 7

8 years ago
Agreed, it started off as an experiment, but we're past that.
Duplicate of this bug: 650869

Comment 10

7 years ago
alex,  any idea on a fix for this.  we are starting to get dupes from security researchers.
ping.  any update on this?

Thanks!
ping again on this.

thanks!
Issue is still present.

We'll need to patch this issue locally since it is not gaining traction at the project.  We need an eta this week of when this can happen. 


POC:
https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=957
Reached out to alexxed@gmail.com to offer to help identify what needs to be fixed (he is the maintainer for narro).
I asked Brandon Savage to spin up a patch.

Updated

7 years ago
Depends on: 678526
Duplicate of this bug: 678693

Comment 17

7 years ago
OK, with the update to the narro install, I can't reproduce this anymore, because the file is gone. What's up next with this bug?
(Assignee)

Comment 18

7 years ago
Fixed in http://code.google.com/p/narro/source/detail?r=bee28e9aff531bfed72fe2c36f212bf86432fbd2 and updated the code on lmo.

The URL changed, you can confirm it here: https://l10n.mozilla.org/narro/user.php?l=en-US&u=957
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Updated

6 years ago
Blocks: 836522
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Flags: sec-bounty+
Keywords: sec-critical
Group: websites-security
You need to log in before you can comment on or make changes to this bug.