Closed
Bug 780450
Opened 12 years ago
Closed 8 years ago
Reflected XSS in http://people.mozilla.org/
Categories
(mozilla.org :: Video, task)
mozilla.org
Video
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: shai, Unassigned)
Details
(Keywords: wsec-xss)
Attachments
(1 file)
137.42 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.60 Safari/537.1 Steps to reproduce: http://people.mozilla.org/ contains a JWPlayer flash component which is vulnerable to reflected XSS. Visit the following link: http://people.mozilla.com/~nhirata/html_tp/post_files/player.swf#?&displayclick=link&link=javascript:javascript:alert%28%22XSS%22%29&linktarget=_self&file=blabla.flv Actual results: XSS Triggered.
Comment 1•12 years ago
|
||
people is designed to be an "unsafe" filestorage / testing server. I've nominated the bug for bounty and we will get back to you on the qualification. nhirata: Do you still need JWPlayer or can you delete it from your public_html?
Assignee: nobody → nhirata.bugzilla
Status: UNCONFIRMED → NEW
Ever confirmed: true
B.T.W: There are two more Vulnerable JWPlayer components here: http://videos.mozilla.org/serv/air_mozilla/player.swf http://videos.mozilla.org/uploads/air_mozilla/player.swf
Comment 4•12 years ago
|
||
people.mozilla.org is not an eligible site. This is used for testing and personal accounts by Mozilla members and not as a production site.
Comment 5•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
http://people.mozilla.com/~nhirata/html_tp/post_files/player.swf#?&displayclick=link&link=javascript:javascript:alert%28%22XSS%22%29&linktarget=_self&file=blabla.flv The player.swf was removed from my directory
Assignee: nhirata.bugzilla → nobody
Updated•11 years ago
|
Flags: sec-bounty-
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•