Closed Bug 849951 Opened 13 years ago Closed 12 years ago

Orange Factor xss brasstacks.mozilla.com

Categories

(Tree Management Graveyard :: OrangeFactor, defect)

Product:
Tree Management Graveyard
Component:
OrangeFactor
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: insecurity.ro, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [site:brasstacks.mozilla.com])

Attachments

(3 files)

bug-br.JPG
106.11 KB, image/jpeg
Details
Encode generated URLs
855 bytes, patch
emorley
: review+
Details | Diff | Splinter Review
Encode GET args of generated URLs
1.48 KB, patch
emorley
: review+
Details | Diff | Splinter Review
assigning to rforbes for verificaiton
Assignee: nobody → rforbes
Whiteboard: [verif?]
I'm not seeing this reliably on latest released Firefox nor Nightly on OS X; it happened once, but some time after the page loaded, and I'm not sure what I did to trigger it. However it does happen every time on Safari. A shorter URL which still triggers the problem is http://brasstacks.mozilla.com/orangefactor/?includefiltertype=quicksearch&includefilterdetailsquicksearch=;alert%28String.fromCharCode%2888,83,83%29%29//%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;%20alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//--%20%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E I'm investigating this now.
Group: core-security → websites-security
confirmed, this is working for me.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: rforbes → nobody
Flags: sec-bounty?
Whiteboard: [verif?]
brasstacks is not on our list of eligible sites, it's an internal testing server.
Flags: sec-bounty? → sec-bounty-
Whiteboard: [site:brasstacks.mozilla.com]
In the end, really dumb and simple.
Assignee: nobody → mcote
Status: NEW → ASSIGNED
Attachment #733730 - Flags: review?(emorley)
Attachment #733730 - Flags: review?(emorley) → review+
Pushed and deployed. http://hg.mozilla.org/automation/orangefactor/rev/f79928cf0f88
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Could I get confirmation that this is properly fixed?
Flags: needinfo?(rforbes)
Actually this isn't quite right. It should use encodeURIComponent() on individual GET-variable names and values to take care of characters like &.
Status: RESOLVED → REOPENED
Flags: needinfo?(rforbes)
Resolution: FIXED → ---
This encodes every GET arg separately with encodeURIComponent(), which, unlike encodeURI(), encodes '&', without which our args can get messed up.
Attachment #733912 - Flags: review?(emorley)
Attachment #733912 - Flags: review?(emorley) → review+
Pushed and deployed. Looking for confirmation again. :) http://hg.mozilla.org/automation/orangefactor/rev/6c416e5c0181
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Flags: needinfo?(rforbes)
Resolution: --- → FIXED
Flags: needinfo?(rforbes)
Product: Testing → Tree Management
Opening bug since this was fixed 2.5 years ago.
Group: websites-security
Product: Tree Management → Tree Management Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: