Closed
Bug 952077
Opened 10 years ago
Closed 10 years ago
XSS on gpg.mozilla.org
Categories
(Cloud Services :: General, defect)
Cloud Services
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: whitehat, Assigned: kang)
Details
(Keywords: sec-low, wsec-xss, Whiteboard: [site:gpg.mozilla.org][reporter-external] old IE only?)
Attachments
(1 file)
86.53 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131112160018 Steps to reproduce: Scanned subdomains of mozilla.org Found about gpg.mozilla.org Actual results: Scanned it and found xss on /pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt> Expected results: Screen PopupAlert
assigned to rforbes for verif, this looks like a scanner false positive to me. I took a quick look at the url in question and I don't see a way for this to be exploited.
Assignee: nobody → rforbes
Flags: sec-bounty?
Whiteboard: Haris Mamoun → [site:gpg.mozilla.org][reporter-external][verif?]
Updated•10 years ago
|
Flags: needinfo?(rforbes)
Comment 4•10 years ago
|
||
Modern browsers escape the request so the reflected page does not contain an XSS attack. Using command-line tools like curl or maybe old versions of IE don't do this escaping so it can look like a successful attack. Joe: who stood up this server? I'm guessing someone in your team, but the real bug (such as it is) is almost certainly in the upsteam SKS code. Maybe there's a newer version, or maybe they've got a fix.
Assignee: rforbes → jstevensen
Flags: needinfo?(rforbes)
Whiteboard: [site:gpg.mozilla.org][reporter-external][verif?] → [site:gpg.mozilla.org][reporter-external] old IE only?
Updated•10 years ago
|
Assignee: jstevensen → gdestuynder
Assignee | ||
Comment 5•10 years ago
|
||
we're currently running the SKS keyserver version 1.1.4 (latest) and using the default page. Thus, the issue most likely exist in the upstream SKS code indeed (https://bitbucket.org/skskeyserver/sks-keyserver/) I did not find any public issue on the matter in their issue tracker (https://bitbucket.org/skskeyserver/sks-keyserver/issues?q=xss for example)
Assignee | ||
Comment 6•10 years ago
|
||
The output appears to be sanitized by the server, thus i believe there is no actual issue. rforbes, can you confirm?
Flags: needinfo?(rforbes)
Assignee | ||
Comment 7•10 years ago
|
||
turns out its not sanitized :) curl "http://gpg.mozilla.org//pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>" <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" > <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Page not found</title> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <style type="text/css"> /*<![CDATA[*/ .uid { color: green; text-decoration: underline; } .warn { color: red; font-weight: bold; } /*]]>*/ </style></head><body><h1>Page not found</h1>Page not found: //pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt></body></html>
Flags: needinfo?(rforbes)
Assignee | ||
Comment 8•10 years ago
|
||
Forwarded upstream with credit https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•10 years ago
|
Comment 10•10 years ago
|
||
I guess if the upstream bug is available in public we don't need to hide our version here.
Comment 11•10 years ago
|
||
this is sec-low so not qualified for a bounty.
Flags: sec-bounty? → sec-bounty-
Assignee | ||
Comment 12•10 years ago
|
||
CVE issued by upstream CVE-2014-3207
Assignee | ||
Comment 13•10 years ago
|
||
New version released (1.1.5) and slated for upgrade on gpg.mozilla.org (as per blocking bug)
Assignee | ||
Comment 14•10 years ago
|
||
1.1.5 running, and verified poc doesnt work
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•