Closed Bug 769755 Opened 12 years ago Closed 12 years ago

xss: people.mozilla.com

Categories

(Websites :: Other, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: curtisk, Unassigned)

References

Details

site:people.mozilla.com

*) SWF ClickTag XSS
https://people.mozilla.com/~jmuizelaar/CNN.com%20-%20Breaking%20News,%20U.S.,%20World,%20Weather,%20Entertainment%20&%20Video%20News_files/sitecnncnn_pagetypemaincnn_position300x100_bot2cnn_rolluphomepag/545417CNN_TVEverywhere_300x100_piers_child.swf?clickTag=javascript:alert("Mozilla Cookies:"%2Bwindow.opener.document.cookie)

https://people.mozilla.com/~jmuizelaar/CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News_files/sitecnncnn_pagetypemaincnn_position300x100_bot1cnn_rolluphomepag/192814belief_300x100.swf?clickTag=javascript:alert(1)

both are flash files that accept a clickTag parameter and pass it to getURL function without any validation on it (only http , https uri).
click on the flash, will result in XSS (the uri is opened in new window, by using window.opener.document it possible to read cookies \ run code from people.mozilla.com domain)

SWFClickTagXSS.png

* Dom Based XSS
https://people.mozilla.com/~nhirata/html_tp/securepage.html
fill in input fields:
Username:
javascript:alert(1)//
password:
AAAA
click "Login".

Vuln Code:
    var userFolder = ""; // Folder where userfile (e.g. PizzaMan127~Cheese.htm) is located (e.g "users/")
    var fullURL= "";
    fullURL= userFolder + username + "~" + password + HTMLextention; // compiled filename the loads user-file
    verifWin.document.location.href = fullURL; // trys to find user-file

Desc: username from input box, passed to location.href (userFolder is empty string).

LoginXSS.png

* sessionStorage XSS
https://people.mozilla.com/~jbalogh/two.html
this page show what data stored in sessionStorage Object without HTML encoding.

SessionXSS.png

* File Upload XSS

https://people.mozilla.com/~jhammink/Upd/SimpleUpload.html

By selecting filename "<img src=X onerror=alert(1)>.txt" (it possible to create filenames like this in Linux OS) in upload file dialog, HTML code inserted to the page.

UploadXSS1.pngp
people.mozilla.org is for mozillians to upload random test stuff. It is not a site covered by the web bounty, and since files are not uploaded through a web interface there's really no value to an XSS on that site -- there's no auth to compromise.

CC'ing the affected folks in case they want to clean up their junk.
Group: websites-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.