Closed
Bug 619635
Opened 14 years ago
Closed 13 years ago
persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s =
Categories
(Websites :: other.mozilla.org, defect)
Websites
other.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: db.pub.mail, Assigned: alex)
References
()
Details
(Keywords: reporter-external, sec-critical, wsec-xss, Whiteboard: [infrasec:xss][ws:critical])
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101210 4
Build Identifier:
persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=
Reproducible: Always
Steps to Reproduce:
persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=
Actual Results:
persistent xss via the username field at https://l10n.mozilla.org/narro/narro_user_list.php?l=en-US&s=
Expected Results:
don't get xssed!
https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=791 --> (e.g.) --> username was username:<!--<img src="--><img src=x onerror=alert(1)//">
actually woops, it was https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=792
Updated•14 years ago
|
Assignee: nobody → alexxed
Component: www.mozilla.org → other.mozilla.org
OS: Linux → All
QA Contact: www-mozilla-org → other-mozilla-org
Hardware: x86_64 → All
Comment 4•14 years ago
|
||
Confirmed stored xss at example https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=792
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•14 years ago
|
Whiteboard: [infrasec:xss][ws:critical]
I filed this upstream at --> http://code.google.com/p/narro/issues/detail?id=170
Comment 6•14 years ago
|
||
If narro is more than an experimental tool it needs to live on its own server (narro.mozilla.org?) so it's not vulnerable to problems with the rest of l10n.mozilla.org, and vice versa.
Comment 7•14 years ago
|
||
Agreed, it started off as an experiment, but we're past that.
Comment 8•14 years ago
|
||
Issue still present. No movement on filed bug.
http://code.google.com/p/narro/issues/detail?id=170
Comment 10•14 years ago
|
||
alex, any idea on a fix for this. we are starting to get dupes from security researchers.
Comment 11•14 years ago
|
||
ping. any update on this?
Thanks!
Updated•13 years ago
|
Comment 12•13 years ago
|
||
ping again on this.
thanks!
Comment 13•13 years ago
|
||
Issue is still present.
We'll need to patch this issue locally since it is not gaining traction at the project. We need an eta this week of when this can happen.
POC:
https://l10n.mozilla.org/narro/narro_user_profile.php?l=en-US&u=957
Comment 14•13 years ago
|
||
Reached out to alexxed@gmail.com to offer to help identify what needs to be fixed (he is the maintainer for narro).
Comment 15•13 years ago
|
||
I asked Brandon Savage to spin up a patch.
Comment 17•13 years ago
|
||
OK, with the update to the narro install, I can't reproduce this anymore, because the file is gone. What's up next with this bug?
Assignee | ||
Comment 18•13 years ago
|
||
Fixed in http://code.google.com/p/narro/source/detail?r=bee28e9aff531bfed72fe2c36f212bf86432fbd2 and updated the code on lmo.
The URL changed, you can confirm it here: https://l10n.mozilla.org/narro/user.php?l=en-US&u=957
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 19•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•11 years ago
|
Flags: sec-bounty+
Updated•9 years ago
|
Keywords: sec-critical
Updated•8 years ago
|
Group: websites-security
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•