Status

Cloud Services
General
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Haris, Assigned: kang)

Tracking

({sec-low, wsec-xss})

unspecified
sec-low, wsec-xss
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [site:gpg.mozilla.org][reporter-external] old IE only?)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 8350003 [details]
mozzila.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release)
Build ID: 20131112160018

Steps to reproduce:

Scanned subdomains of mozilla.org
Found about gpg.mozilla.org



Actual results:

Scanned it and found xss on /pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>




Expected results:

Screen PopupAlert
(Reporter)

Updated

4 years ago
Whiteboard: Haris Mamoun
assigned to rforbes for verif, this looks like a scanner false positive to me. I took a quick look at the url in question and I don't see a way for this to be exploited.
Assignee: nobody → rforbes
Flags: sec-bounty?
Whiteboard: Haris Mamoun → [site:gpg.mozilla.org][reporter-external][verif?]
(Reporter)

Comment 2

4 years ago
It is a reflected XSS.
Its verified, not false positive.
(Reporter)

Comment 3

4 years ago
Any information on status ?
Flags: needinfo?(rforbes)
Modern browsers escape the request so the reflected page does not contain an XSS attack. Using command-line tools like curl or maybe old versions of IE don't do this escaping so it can look like a successful attack.

Joe: who stood up this server? I'm guessing someone in your team, but the real bug (such as it is) is almost certainly in the upsteam SKS code. Maybe there's a newer version, or maybe they've got a fix.
Assignee: rforbes → jstevensen
Flags: needinfo?(rforbes)
Whiteboard: [site:gpg.mozilla.org][reporter-external][verif?] → [site:gpg.mozilla.org][reporter-external] old IE only?

Updated

4 years ago
Assignee: jstevensen → gdestuynder
we're currently running the SKS keyserver version 1.1.4 (latest) and using the default page.
Thus, the issue most likely exist in the upstream SKS code indeed (https://bitbucket.org/skskeyserver/sks-keyserver/)

I did not find any public issue on the matter in their issue tracker (https://bitbucket.org/skskeyserver/sks-keyserver/issues?q=xss for example)
The output appears to be sanitized by the server, thus i believe there is no actual issue.

rforbes, can you confirm?
Flags: needinfo?(rforbes)
turns out its not sanitized :)
curl "http://gpg.mozilla.org//pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>" 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Page not found</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<style type="text/css">
/*<![CDATA[*/
 .uid { color: green; text-decoration: underline; }
 .warn { color: red; font-weight: bold; }
/*]]>*/
</style></head><body><h1>Page not found</h1>Page not found: //pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt></body></html>
Flags: needinfo?(rforbes)
(Reporter)

Comment 9

4 years ago
Any confirmation/info ?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 836522
Group: mozilla-services-security
Keywords: sec-low, wsec-xss
I guess if the upstream bug is available in public we don't need to hide our version here.
this is sec-low so not qualified for a bounty.
Flags: sec-bounty? → sec-bounty-
CVE issued by upstream CVE-2014-3207
New version released (1.1.5) and slated for upgrade on gpg.mozilla.org  (as per blocking bug)
1.1.5 running, and verified poc doesnt work
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.