Closed
Bug 769755
Opened 12 years ago
Closed 12 years ago
xss: people.mozilla.com
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: curtisk, Unassigned)
References
Details
site:people.mozilla.com *) SWF ClickTag XSS https://people.mozilla.com/~jmuizelaar/CNN.com%20-%20Breaking%20News,%20U.S.,%20World,%20Weather,%20Entertainment%20&%20Video%20News_files/sitecnncnn_pagetypemaincnn_position300x100_bot2cnn_rolluphomepag/545417CNN_TVEverywhere_300x100_piers_child.swf?clickTag=javascript:alert("Mozilla Cookies:"%2Bwindow.opener.document.cookie) https://people.mozilla.com/~jmuizelaar/CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News_files/sitecnncnn_pagetypemaincnn_position300x100_bot1cnn_rolluphomepag/192814belief_300x100.swf?clickTag=javascript:alert(1) both are flash files that accept a clickTag parameter and pass it to getURL function without any validation on it (only http , https uri). click on the flash, will result in XSS (the uri is opened in new window, by using window.opener.document it possible to read cookies \ run code from people.mozilla.com domain) SWFClickTagXSS.png * Dom Based XSS https://people.mozilla.com/~nhirata/html_tp/securepage.html fill in input fields: Username: javascript:alert(1)// password: AAAA click "Login". Vuln Code: var userFolder = ""; // Folder where userfile (e.g. PizzaMan127~Cheese.htm) is located (e.g "users/") var fullURL= ""; fullURL= userFolder + username + "~" + password + HTMLextention; // compiled filename the loads user-file verifWin.document.location.href = fullURL; // trys to find user-file Desc: username from input box, passed to location.href (userFolder is empty string). LoginXSS.png * sessionStorage XSS https://people.mozilla.com/~jbalogh/two.html this page show what data stored in sessionStorage Object without HTML encoding. SessionXSS.png * File Upload XSS https://people.mozilla.com/~jhammink/Upd/SimpleUpload.html By selecting filename "<img src=X onerror=alert(1)>.txt" (it possible to create filenames like this in Linux OS) in upload file dialog, HTML code inserted to the page. UploadXSS1.pngp
Comment 2•12 years ago
|
||
people.mozilla.org is for mozillians to upload random test stuff. It is not a site covered by the web bounty, and since files are not uploaded through a web interface there's really no value to an XSS on that site -- there's no auth to compromise. CC'ing the affected folks in case they want to clean up their junk.
Group: websites-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•