assigned to paul to verify
cc:ing Ricky so he sees this bug as it progresses.
If you need a V.P.o.C, I will upload the video in case you can't reproduce the vulnerability. Regards, Darius Petrescu
I can reproduce this bug as described above. However I don't think this is actually exploitable due to the presence of a CSRF token. I don't have time to test this further today, but Darius, if you want to help, what would be very interesting to me is trying to create an actual exploit for this issue. I.e create the web page that actually exploits this issue that an attacker would get the victim to vicit. In my brief testing, I wasn't able to do this. Since it isn't possible to know the victim's valid CSRF token, the request induced by the attacker will result in a 403 forbidden response, instead of the xss code being run. So while this is more or less zero risk currently, we probably want to fix this anyways, since there may well be ways to exploit this issue. That is, the _to_ field should be sanitized to remove the risk entirely. PS I tested this on staging - https://support.allizom.org/en-US/messages/new?to=ptheriault Darius, thanks for your help, and please use our staging instance if you are doing further testing - this has the latest code, and doesn't matter if you create test data etc there.
I see it can't be exploitable ( by me )! I can't make something ... Can you tell me which is your last decision ? This bug can be elgibile for a reward ? But for a SELF XSS I don't think it is. Thank you Paul and have a nice day. PS This is my first bug reported, and not so good :( Regards, Darius
Sorry for responding late here. I appreciate any security work done on SUMO. It makes our users safer. Even though this particular issue doesn't seem to be exploitable, I really appreciate you pointing it out. I'll try to get it fixed soon. Thank you!
(In reply to Darius Petrescu from comment #5) > I see it can't be exploitable ( by me )! > I can't make something ... Can you tell me which is your last decision ? > This bug can be elgibile for a reward ? But for a SELF XSS I don't think it > is. > Thank you Paul and have a nice day. > > PS This is my first bug reported, and not so good :( > > Regards, > Darius Regarding bounty, support.mozilla.org is not covered by the bounty program. (see http://www.mozilla.org/security/bug-bounty-faq-webapp.html) Sometimes we might pay for high risks or extraordinary issues on a case by case basis, but this I don't think this is such a case.
Paul: Are you still working on this bug? I'm waiting for you to finish up whatever you need to do with it so then I can grab it and fix it.
All yours - I was only assigned for verification.
Grabbing to fix today.
Landed in master in https://github.com/mozilla/kitsune/commit/8d411f2 We don't push on Fridays, so I'll make sure this gets pushed out and mark the bug FIXED on Monday.
Oops--I forgot to mark this as FIXED. Pretty sure we pushed this out September 30th.
Adding whiteboard sprint data.
These bugs are all resolved, so I'm removing the security flag from them.