Closed Bug 885487 Opened 12 years ago Closed 12 years ago

Reflected Cross Site Scripting in Webmaker.org (https://thimble.webmaker.org)

Categories

(Webmaker Graveyard :: Thimble, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 765340

People

(Reporter: krutarth.ce, Unassigned)

Details

(Keywords: reporter-external, wsec-xss, Whiteboard: [site:thimble.webmaker.org][reporter-external])

Attachments

(1 file)

Attached image xss3.png
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release) Build ID: 20130511120803 Steps to reproduce: Actual Vulnerable URL: https://thimble.webmaker.org/project/633/edit Add "><img src=x onerror=alert("XSS3!")> in body tag in editor. Payload: "><img src=x onerror=alert("XSS3!")> Actual results: Script is injected in page. Expected results: There is prevention for Javascript execution, but it seems certain tags are not filtered properly, in Editor encode the characters or blocks all javascript events.
Component: Web Site → Thimble
Keywords: wsec-xss
Product: Mozilla Services → Webmaker
If I reload that URL, I don't see the script tag in action: http://dl.dropbox.com/u/4403845/Screenshots/80.png I think this is self-XSS only.
This is a duplicate of bug 765340. The design of thimble allows arbitrary code javascript when developing the page. However this code is stripped out on the published page.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [site:thimble.webmaker.org][reporter-external]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: