Created attachment 8346509 [details] people-mozilla-org-stored-xss.png User Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Steps to reproduce: 1. Go to http://people.mozilla.org/~mwobensmith/private_browsing/set_flash_cookie.html 2. In the input field type: <img src=x onerror=prompt(document.domain)> 3. Go to eople.mozilla.org/~mwobensmith/private_browsing/get_flash_cookie.html 4. Click on "Click here to retrieve Flash cookie." Actual results: You will see a prompt message with the domain name which indicates that the cookie was reflected back as html Expected results: The cookie should have been html encoded before being reflected back to the user.
Also, you could use a csrf attack to send the js payload to the victim without having them to actually click on create cookie. 3rd, there is directory listing enabled here: http://people.mozilla.org/~mwobensmith/private_browsing/
The people domain is where Mozilla folks go to experiment with things (sometimes risky things) and the public_html folders of each user are world readable by default and on purpose. As such these sites aren't eligible for the bounty program and the issues you are reporting are known and purposeful.