Closed Bug 756446 Opened 13 years ago Closed 13 years ago

Popcorn Persistent XSS

Categories

(Webmaker Graveyard :: Popcorn Maker, defect)

Product:
Webmaker Graveyard
Component:
Popcorn Maker
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: insecurity.ro, Assigned: jon)

Details

(Keywords: wsec-xss)

Attachments

(1 file)

popcorn.JPG
54.11 KB, image/jpeg
Details
Attached image popcorn.JPG
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 Build ID: 20120420145725 Steps to reproduce: Well, we have Persistent XSS. http://mozillapopcorn.org:8888/published/4fb64ebce0116ef826001280.html Actual results: How create this with Mozilla Popcorn? Put our xss code with http://[our xss code] in the Edit Source on site http://mozillapopcorn.org:8888/templates/pop/template.html and save this and share this.
I forgot. And put our xss in Project Name. + private video PoC: http://www.youtube.com/watch?v=QR_NYytzPnA&feature=youtu.be
Status: UNCONFIRMED → NEW
Ever confirmed: true
Group: core-security
dhumphrey, any idea who can look at this?
also need to figure out if this site should go on the qualifying security bounty list.
This is because we don't do any sanitizing of user input in the server app. I'll take this.
Assignee: nobody → jon
Status: NEW → ASSIGNED
choffman: I don't know the policy for bounties, but this project isn't at 1.0 yet, if that makes a difference.
If we wait to pay bounties until after the 1.0 release we create the wrong incentives. Better to have people tell us about problems early than to see an explosion of security bugs a day or two after the initial release. If there are problems that we know about better to just get bugs on file. We don't pay for known issues.
Hmm..true, good words. Chris, do you know? I love you:)
Good point -- there's likely a sweet spot in between "experimental" and "release candidate". Not sure when that is, or whether Popcorn is in that stage yet.
Fixed on master: https://github.com/jbuck/butter/commit/21c02cef158a4c3d6f95b952b22185ebabc25ca5 I'll be deploying this to maker.mp.o shortly.
does the fix mean this was serious and we plan to correct? I guess what we need to do is figure out if the example exploit has the possibility of putting any firefox user or mozilla data at risk so we can figure out how to evaluate all the popcorn bugs and figure out if it should go on the list of sites that we need to be protecting and paying bounties on.
Is there anything on mozillapopcorn.org:8888 other than published videos? That's where the XSS is, but the signups are on maker.mp.org. XSS looks bad, but may not actually be dangerous in that case (at least no more dangerous than letting people define their own CSS in the first place, or upload HTML for the webmaker site).
And we have some problem in http://maker.mozillapopcorn.org/dashboard Our "code name" for project: ""><script>alert("6")</script><iframe src ="https://open.xerox.com/Repo//user/testeravi/testVersion1.zip" width="0" height="0" frameborder="0" /> </iframe> but it's only test, on mozilla popcorn is very hard work with some xss code, this code don't work on URL,but work on Dashboard. http://i48.tinypic.com/hsubso.jpg When we make our project with our "code name", go to dashboard and click delete and we can see our file in .zip or what you want. It's bug yes. But it's hard for use. Video PoC: http://www.youtube.com/watch?v=PAdZnNcONDM
Alright, I'm on this. Should be a simple escaping problem. I'll have a fix up in a minute.
Sony: thanks for reporting this bug. Currently we don't believe Popcorn is in a stage that needs the benefit of adding it to our Web Bounty program and therefore we are not awarding a bug bounty. We appreciate your testing help as part of the Mozilla community, but if your primary interest is in earning bug bounties I encourage you to focus on the sites that are firmly within the scope of that program: http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Ok:) But some sites on http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs don''t work: pfs.mozilla.org (redirect) and what is ? : aus*.mozilla.org *.services.mozilla.com (what is full name domains) http://versioncheck.addons.mozilla.org/ (don't work) https://services.addons.mozilla.org/ (403 Forbidden)
And I am not only interested in bounties, I also love finding bugs as a hobby)
So, to close the loop on this ticket: (In reply to chris hofmann from comment #11) > does the fix mean this was serious and we plan to correct? > > I guess what we need to do is figure out if the example exploit has the > possibility of putting any firefox user or mozilla data at risk so we can > figure out how to evaluate all the popcorn bugs and figure out if it should > go on the list of sites that we need to be protecting and paying bounties on. It did allow an XSS, but it wouldn't have been possible to get any user data other than your own email address and Popcorn project data; we don't expose emails except your own email when you log in. (In reply to Daniel Veditz [:dveditz] from comment #12) > Is there anything on mozillapopcorn.org:8888 other than published videos? > That's where the XSS is, but the signups are on maker.mp.org. XSS looks bad, > but may not actually be dangerous in that case (at least no more dangerous > than letting people define their own CSS in the first place, or upload HTML > for the webmaker site). :8888 is currently just static Popcorn proects, and it was running v0.3 of Popcorn Maker. maker.mp.o is for creating/hosting new Popcorn projects and it was running v0.5.2 of Popcorn Maker. --- Sony, thank you for finding these bugs! If you ever find yourself in Toronto I'd be happy to purchase you a drink :)
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: websites-security
Product: Popcorn → Webmaker
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: