Closed Bug 765170 Opened 12 years ago Closed 12 years ago

Persistent Cross Site Scripting ( xss ) on Personas website

Categories

(Websites Graveyard :: getpersonas.com, defect)

Product:
Websites Graveyard
Component:
getpersonas.com
Version:
Firefox 6
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: d3v1l.securityshell, Assigned: brandon)

References

Details

(Keywords: sec-critical, wsec-xss)

Attachments

(2 files)

personas.jpg
100.91 KB, image/jpeg
Details
Patch to correct the XSS vulnerability
1.08 KB, patch
Details | Diff | Splinter Review
Attached image personas.jpg 
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120601045813

Steps to reproduce:

log into the site ( https://www.getpersonas.com ) and try to Create Your Persona,add into Description an XSS payload then click Submit 

see screenshots: http://i.imgur.com/NKTE9.jpg

another screen is attached 

btw: any news about https://bugzilla.mozilla.org/show_bug.cgi?id=754646 ? 

Cheers!
Assignee: nobody → mfuller
:marius can you please include the exact code you used in the description field to reproduce your attached image. I
Thanks!
you mean the payload? if yes  check -> "><textarea><!-- </textarea><img src=1 onerror=alert("XSS")> 

Cheers
Thanks, status changed to confirmed. I'm attempting to locate the developer who maintains this code and I'll copy him in shortly.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: mfuller → bsavage
This patch resolves the issue (it is no longer reproducible). However, it's unclear if we allow users to enter HTML into the description field or not; if we do, then this patch won't work because it simply eliminates the ability to enter ANY HTML into the description field.
Attachment #634156 - Flags: review?(laura)
Attachment #634156 - Flags: feedback?(clouserw)
I think we added HTML so it would show up on AMO (which does filtering).  I'm OK with preventing it on getpersonas assuming we still nl2br
Without a second vulnerability that allows you to log someone else on as you, this flaw can't be used as an effective attack vehicle. We don't feel it qualifies for a bounty based on our current understanding.
It could potentially be used as an attack vehicle.

An attacker could submit a persona, which has malicious code in it. That code could result in an approver approving it without their knowledge, and then additional malicious code could be used to attack users of the getpersonas website. There's a lot of "if's" in there, but it's certainly a possibility.
Brandon you are right.And another issue that I saw is the Header and Footer image upload...there is the possibility to upload an image with js XSS code inside the source.I could not bypass the filter but I upload the image...maybe works on internet explorer old versions...I am not sure/ 

btw: the xss still works! 

Regards!
This patch must be reviewed before it can be committed to the source code. Until it is reviewed, the XSS vulnerability will exist in production.
I'm on review, should be today
Depends on: 767198
This bug still works!Description request parameter is still copied into the HTML document as plain text between tags,so is still possible to inject arbitrary JavaScript into the application's response. 
 
Cheers!
I am unable to reproduce this bug on stage with the updated code from master. Recommend pushing the update to production ASAP.
Production has been updated and I am no longer able to reproduce the bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Attachment #634156 - Flags: review?(laura)
Attachment #634156 - Flags: feedback?(clouserw)
awesome but like I saw this site is in the list of the bounty program..so my issue is not valid? 

Cheers!
Product: Websites → Websites Graveyard
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: