Stored XSS, XSRF and directory listing

RESOLVED WONTFIX

Status

Websites
other.mozilla.org
RESOLVED WONTFIX
4 years ago
3 years ago

People

(Reporter: Shpend K., Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:people.mozilla.org][reporter-external])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 8346509 [details]
people-mozilla-org-stored-xss.png

User Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Steps to reproduce:

1. Go to http://people.mozilla.org/~mwobensmith/private_browsing/set_flash_cookie.html
2. In the input field type: <img src=x onerror=prompt(document.domain)>
3. Go to eople.mozilla.org/~mwobensmith/private_browsing/get_flash_cookie.html
4. Click on "Click here to retrieve Flash cookie."


Actual results:

You will see a prompt message with the domain name which indicates that the cookie was reflected back as html


Expected results:

The cookie should have been html encoded before being reflected back to the user.
(Reporter)

Comment 1

4 years ago
Also, you could use a csrf attack to send the js payload to the victim without having them to actually click on create cookie. 

3rd, there is directory listing enabled here:  http://people.mozilla.org/~mwobensmith/private_browsing/
The people domain is where Mozilla folks go to experiment with things (sometimes risky things) and the public_html folders of each user are world readable by default and on purpose. As such these sites aren't eligible for the bounty program and the issues you are reporting are known and purposeful.
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: sec-bounty-
Resolution: --- → WONTFIX
Whiteboard: [site:people.mozilla.org][reporter-external]

Updated

4 years ago
Component: General → other.mozilla.org
Product: www.mozilla.org → Websites
You need to log in before you can comment on or make changes to this bug.