[Web Search Engine] Create False Variables

RESOLVED INVALID

Status

RESOLVED INVALID
7 years ago
2 years ago

People

(Reporter: kontakt, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 610627 [details]
Screenshot[1]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0) Gecko/20100101 Firefox/10.0
Build ID: 20120129021758

Steps to reproduce:

Hi,

I found a bug that allows you to create any number of false variables.

Thanks for reply,

Best Regards,
Artur Czyz


Actual results:

Here's an example:

https://addons.mozilla.org/mn/firefox/search/?q=;addfalsevariable;addfalsevariable2;wecanaddalotoffalsevariable;

screenshot[1] is in attachment.

Error running on each side of Mozilla, which uses this type of search engine.

For example:

https://addons.mozilla.org/mn/developers/search?q=;addfalsevariable;addfalsevariable2;wecanaddalotoffalsevariable;

When we click on "Log in", we can see this URL:

https://addons.mozilla.org/mn/firefox/users/login?to=/mn/firefox/search/?q=&wecanaddalotoffalsevariable=&addfalsevariable=&addfalsevariable2=

As I said, in we can create a false variables.
Have you identified a security risk?
(Reporter)

Comment 2

7 years ago
I think this can be a type of XSS attack or DOS attack (application crasher).
As long as it's properly escaped it's not XSS.  If you can provide a proof of concept you could have something, otherwise I don't think this is a bug.
(Reporter)

Comment 4

7 years ago
Thanks for reply Wil ;-)

Ad. 1: I will try to bypass a "escaping chars".
Ad. 2. If we create a thousand false variables that can crash a application, but I can't test it.

Best Regards
Reopen if there is XSS or DOS here but in the mean time I'm closing the bug.  Thanks.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

7 years ago
Btw. This vulnerability is everywhere. Next example:

https://addons.mozilla.org/mn/firefox/themes/?sort=users;falsename=falsevalue;

and in code we can see:

<input type="hidden" name="falsename" value="falsevalue">

-------------

I'm still working on it - to prove this is propably XSS ;-)
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → INVALID
(Assignee)

Updated

3 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
(Reporter)

Updated

2 years ago
Group: core-security
Group: client-services-security, core-security
You need to log in before you can comment on or make changes to this bug.