628096 - Reflective XSS on accessfirefox.org

Status: VERIFIED FIXED

(Websites :: Other, defect)

Description

[mike]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: 

This domain was listed on mozilla's directory.  I assume this is the right place to post the bug. 

The post vars "email" and "name" are vulnerable to XSS.

curl "http://accessfirefox.org/ContactPage.php"  -d 'reset=Reset&name=" ></input><ScRiPt>alert("xss")</ScRiPt>&submit=Submit&email=test@sometest38752.com&' > test.html
firefox test.html

Reproducible: Always

Comment 1

[Reed Loden [:reed]]

(In reply to comment #0)
> This domain was listed on mozilla's directory.  I assume this is the right
> place to post the bug.

The directory includes both official and non-official sites. AccessFirefox.org isn't an official site, but I'll just assign this to its owner and hope he sees it and can fix it. Not much I can do besides that.

Comment 3

[Ken Saunders]

I've removed the form and just added a mailto link until this gets straightened out.
Thanks to Mike for bringing this to my attention. I was unaware of the issue.

For the record, it is clearly stated on the contact page, and in the site's footer that Access Firefox is not officially affiliated with MoFo (or MoFo and MoCo as stated in the footer). 
It's one of the few sites (from the many) using a Mozilla trademark that actually applied for a domain name license. :)
Although, I do sincerely appreciate the Mozilla community directory listing.

Comment 4

[mike]

Ken Saunders:
Your welcome.  I am scanning a lot of the domains listed in the directory. I apologize for the misunderstanding.

Comment 5

[Reed Loden [:reed]]

Resolving this one, as it's been mitigated.

Comment 8

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.