Closed Bug 938209 Opened 12 years ago Closed 12 years ago

XSS in tags for webmaker.org

Categories

(Webmaker Graveyard :: General, defect)

Product:
Webmaker Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: curtisk, Assigned: michiel)

References

Details

(Keywords: reporter-external, sec-high, wsec-xss, Whiteboard: [site:webmaker.org][reporter-external])

Date: Tue, 12 Nov 2013 19:20:03 +0100 Subject: Re: Web Security Bug Bounty - Cross site scripting XSS From: Fraph core <fraphcore@gmail.com> To: Mozilla Security <security@mozilla.org> -----//----- Web Security Bug Bounty - Cross site scripting XSS Clear demonstration. Steps to produce. 1. You register at -> https://webmaker.org/ 2. A Remix project. 3. Click Publish. -> Add vector in labels. 4. When you add a vector in labels is running. Zone: Mozilla - Webmaker Type of vulnerability: Stored Cross site scripting (XSS) Target: https://thimble.webmaker.org/ Vulnerability Scope: Medium Screen shots. Author: Jose Pino (Fraph) Twitter: @Fr4phc0r3 Independent Security Researcher
confirmed, including more precise repro steps :: Summary: Tags can be entered into webmaker projects that when another user remixes the project an xss attack is possible Steps to reproduce: 1) Log into https://webmaker.org and find a project to remix or create a new project. 2) Click the blue "Publish" button to publish the project. This open the door hanger for the publish box. 3) In the "Tags" for the project add this as a tag (include leading quote) "><img src=x onerror=x.onerror=prompt(/XSS/.source)> 4) Click the green "Publish" button in the door hanger, an alert box will appear 5) Note the url of the published site (in this case https://curtisk.makes.org/thimble/book-cover) 6) Send url to another user and have them remix the project.' 7) When the second user goes to publish the project the alert box appears. Result: Tags with script elements are evaluated Expected Result: Tags with script elements should be scrubbed or not executed
Assignee: curtisk → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty?
Keywords: wsec-xss
Whiteboard: [site:webmaker.org][reporter-external][verif?] → [site:webmaker.org][reporter-external]
I should have mentioned that I used 2 different persona accounts to confirm this, created in one and remixed in another and got the alert box in both accounts.
See Also: → 938109
Is that you have not understood that it is a stored XSS vulnerability, please. I have already sent many demos i think it is impossible to not understand. Please i hope Prompt replies. My mail: fraphcore@gmail.com
(In reply to fraphcore from comment #3) > Is that you have not understood that it is a stored XSS vulnerability, > please. I have already sent many demos i think it is impossible to not > understand. Please i hope Prompt replies. > > My mail: fraphcore@gmail.com We understand the vulnerability, we're investigating how it's occurring and weather this is allowed behavior in this area or not.
Ok. I hope prompt replies.
We'll be fixing this by securing the user input in both the tools as well as when the data endpoint accepts the data. Individual tickets are getting filed for this.
Assignee: nobody → pomax
Status: NEW → ASSIGNED
Responding when this is resolved, please.
resolved through work in https://bugzilla.mozilla.org/show_bug.cgi?id=938424, which patches the makeapi to sanitize both incoming, and already stored, tags.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
(In reply to Mike "Pomax" Kamermans [:pomax] from comment #8) > resolved through work in > https://bugzilla.mozilla.org/show_bug.cgi?id=938424, which patches the > makeapi to sanitize both incoming, and already stored, tags. While there's nothing wrong with stripping unexpected characters from user supplied input, I'd prefer we do something else; the correct fix here is to ensure the output is correctly encoded. In this case, the output should be entity encoded. This ensures 2 things happen: 1) If we have cause to change the app to accept different characters we can do this without breaking things 2) We make it less likely that omissions in our character blacklist (or mistakes in the regex that's used to sanitize) result in vulnerability. Please see our secure coding guidelines for more information: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Output_Encoding
I've added Character escaping to Popcorn Maker and Thimbles tag displaying code, and deployed it to staging and production servers. That should mitigate the attack. The MakeAPI has also been updated to filter out unsafe chars from tags, even if URI encoded. fraphcore: Thank you for reporting this issue!
And the reward about the bug bounty program. I hope prompt replies. Please!
(In reply to fraphcore from comment #11) > And the reward about the bug bounty program. > I hope prompt replies. Please! That generally takes some time, the bug still needs to be classified. To be eligible for a bounty it must rate a high or critical. Once rated the bounty committee will consider it and make a determination as to pay out or not and amount. We ask that you be patient as this process happens, it generally takes at least a few weeks and with the holiday season starting in the US it may slow this time line down a bit.
I hope prompt replies. Please!
Rating this sec-low because there is nothing of value on makes.org -- we specifically host user generated content on this site with no logins and only public data so that there is nothing to attack. Thank you for reporting this vulnerability, it is not the intended behavior even if not particularly dangerous on this particular site. If your primary investigative motivation is to earn bug bounties I encourage you to stick to the domains that are officially part of the program. At the moment Webmaker and related sites are not. http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Flags: sec-bounty? → sec-bounty-
Keywords: sec-low
It seems unfair that after so many days of work, I give this answer! -_- Full diclosure.
I believe this had the potential to get out of makes.org as all the other checks we do for sanitation were not scrubbing this particular item. If this had been limited like the other items this would not have been worth patching. Given this I think the bug should be upgraded in severity and I am renominating it for consideration.
Flags: sec-bounty- → sec-bounty?
So the issue is that the tag would introduce an XSS into anyone else who remixed the project and did not remove the tag with the xss code.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-lowsec-high
Group: websites-security
You need to log in before you can comment on or make changes to this bug.