648881 - XSS in developer.mozilla.org (that allows CSRF-token bypass in addons.mozilla.org)

Status: RESOLVED DUPLICATE of bug 622996

(developer.mozilla.org Graveyard :: Wiki pages, defect)

Description

[Jаmes Kettle]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20110103 Fedora/3.6.13-1.fc14 Firefox/3.6.13
Build Identifier: 

As the PoC demonstrates, developer.mozilla.org is vulnerable to XSS. Since it has the same parent domain as addons.mozilla.org it can set arbitrary cookies for AMO. The PoC, after the popup, overrides the AMO 'csrftoken' cookie. If you then try to edit your user details on AMO you will see the csrftoken has changed to 'cow'; a value chosen by the attacker.

Note that this does not directly expose AMO to CSRF, since (as far as I can see) the Referer checking defence on AMO can't be bypassed.

Reproducible: Always

Steps to Reproduce:
Click the URL.
Browse to https://addons.mozilla.org/en-US/firefox/users/edit and note that the csrftoken has changed to cow.



This could be tricky to patch, as there are probably plenty more XSS vulnerabilities in developer.mozilla.org. All I can think of is storing CSRF tokens server-side on AMO or redirecting developer.mozilla.org to a different domain name.

-Sorry I choose the wrong product/component category. Couldn't see one for developer.mozilla.org
-I figure this isn't bounty worthy, since it's only half a bypass.

Comment 4

[Jаmes Kettle]

Could this, #649354 and #704543 be marked 'non-security sensitive', since they're all fixed?