Closed Bug 619635 Opened 14 years ago Closed 13 years ago

persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=

Categories

(Websites :: other.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: db.pub.mail, Assigned: alex)

References

()

Details

(Keywords: reporter-external, sec-critical, wsec-xss, Whiteboard: [infrasec:xss][ws:critical])

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101210 4 Build Identifier: persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s= Reproducible: Always Steps to Reproduce: persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s= Actual Results: persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s= Expected Results: don't get xssed!
https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=791 --> (e.g.) --> username was username:<!--<img src="--><img src=x onerror=alert(1)//">
Assignee: nobody → alexxed
Component: www.mozilla.org → other.mozilla.org
OS: Linux → All
QA Contact: www-mozilla-org → other-mozilla-org
Hardware: x86_64 → All
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:xss][ws:critical]
If narro is more than an experimental tool it needs to live on its own server (narro.mozilla.org?) so it's not vulnerable to problems with the rest of l10n.mozilla.org, and vice versa.
Agreed, it started off as an experiment, but we're past that.
alex, any idea on a fix for this. we are starting to get dupes from security researchers.
ping. any update on this? Thanks!
ping again on this. thanks!
Issue is still present. We'll need to patch this issue locally since it is not gaining traction at the project. We need an eta this week of when this can happen. POC: https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=957
Reached out to alexxed@gmail.com to offer to help identify what needs to be fixed (he is the maintainer for narro).
I asked Brandon Savage to spin up a patch.
Depends on: 678526
OK, with the update to the narro install, I can't reproduce this anymore, because the file is gone. What's up next with this bug?
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Flags: sec-bounty+
Group: websites-security
You need to log in before you can comment on or make changes to this bug.