Closed
Bug 765170
Opened 12 years ago
Closed 12 years ago
Persistent Cross Site Scripting ( xss ) on Personas website
Categories
(Websites Graveyard :: getpersonas.com, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: d3v1l.securityshell, Assigned: brandon)
References
Details
(Keywords: sec-critical, wsec-xss)
Attachments
(2 files)
100.91 KB,
image/jpeg
|
Details | |
1.08 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0 Build ID: 20120601045813 Steps to reproduce: log into the site ( https://www.getpersonas.com ) and try to Create Your Persona,add into Description an XSS payload then click Submit see screenshots: http://i.imgur.com/NKTE9.jpg another screen is attached btw: any news about https://bugzilla.mozilla.org/show_bug.cgi?id=754646 ? Cheers!
Updated•12 years ago
|
Assignee: nobody → mfuller
Comment 1•12 years ago
|
||
:marius can you please include the exact code you used in the description field to reproduce your attached image. I Thanks!
you mean the payload? if yes check -> "><textarea><!-- </textarea><img src=1 onerror=alert("XSS")> Cheers
Comment 3•12 years ago
|
||
Thanks, status changed to confirmed. I'm attempting to locate the developer who maintains this code and I'll copy him in shortly.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
Assignee: mfuller → bsavage
Assignee | ||
Comment 5•12 years ago
|
||
This patch resolves the issue (it is no longer reproducible). However, it's unclear if we allow users to enter HTML into the description field or not; if we do, then this patch won't work because it simply eliminates the ability to enter ANY HTML into the description field.
Attachment #634156 -
Flags: review?(laura)
Attachment #634156 -
Flags: feedback?(clouserw)
Comment 6•12 years ago
|
||
I think we added HTML so it would show up on AMO (which does filtering). I'm OK with preventing it on getpersonas assuming we still nl2br
Comment 8•12 years ago
|
||
Without a second vulnerability that allows you to log someone else on as you, this flaw can't be used as an effective attack vehicle. We don't feel it qualifies for a bounty based on our current understanding.
Assignee | ||
Comment 9•12 years ago
|
||
It could potentially be used as an attack vehicle. An attacker could submit a persona, which has malicious code in it. That code could result in an approver approving it without their knowledge, and then additional malicious code could be used to attack users of the getpersonas website. There's a lot of "if's" in there, but it's certainly a possibility.
Reporter | ||
Comment 10•12 years ago
|
||
Brandon you are right.And another issue that I saw is the Header and Footer image upload...there is the possibility to upload an image with js XSS code inside the source.I could not bypass the filter but I upload the image...maybe works on internet explorer old versions...I am not sure/ btw: the xss still works! Regards!
Assignee | ||
Comment 11•12 years ago
|
||
This patch must be reviewed before it can be committed to the source code. Until it is reviewed, the XSS vulnerability will exist in production.
Comment 12•12 years ago
|
||
I'm on review, should be today
Reporter | ||
Comment 13•12 years ago
|
||
This bug still works!Description request parameter is still copied into the HTML document as plain text between tags,so is still possible to inject arbitrary JavaScript into the application's response. Cheers!
Assignee | ||
Comment 14•12 years ago
|
||
I am unable to reproduce this bug on stage with the updated code from master. Recommend pushing the update to production ASAP.
Assignee | ||
Comment 15•12 years ago
|
||
Production has been updated and I am no longer able to reproduce the bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Attachment #634156 -
Flags: review?(laura)
Attachment #634156 -
Flags: feedback?(clouserw)
Reporter | ||
Comment 16•12 years ago
|
||
awesome but like I saw this site is in the list of the bounty program..so my issue is not valid? Cheers!
Updated•11 years ago
|
Product: Websites → Websites Graveyard
Comment 17•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•9 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•