Reflected Cross Site Scripting

RESOLVED DUPLICATE of bug 765340

Status

Webmaker
webmaker.org
--
major
RESOLVED DUPLICATE of bug 765340
5 years ago
4 years ago

People

(Reporter: Garry D. Bacalso, Unassigned)

Tracking

({wsec-xss})

unspecified
x86
Windows 7
wsec-xss
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:webmaker.org] )

Attachments

(1 attachment)

1.12 MB, application/zip
Details
(Reporter)

Description

5 years ago
Created attachment 8355842 [details]
POC.zip

Good Day Webmaster,

 

I would like to report a bug of your site webmaster, because i am concern for this site, 

and to protect the name of your site. 

I found a 2 time bug to your site. That having bug could a Reflected XSS vulnerable, and it can cause and inserting malicious script to your site.

Please do and action with this bug report webmaster.

OS:

windows 7

Browser:
Mozilla Firefox Version 27.0


Respectfully yours,
Garry D. Bacalso
(Reporter)

Updated

5 years ago
Flags: sec-review?
Flags: sec-bounty?
Flags: needinfo?
(Reporter)

Comment 1

5 years ago
Please see the attached files that i attached. for POC
Javascript in Thimble is an enabled feature. Any JavaScript running in that preview frame is properly sandboxed on a completely different domain than webmaker.org, and the behaviour in the attached video is expected.

Jon/Pomax - wont-fix?
Flags: needinfo?(pomax)
Flags: needinfo?(jon)
Flags: needinfo?
(Reporter)

Comment 3

5 years ago
Good Day Webmaster,

Would it be qualified for bug bounty reward webmaster?
Did you see the video that i attached webmaster?


Respectfully yours,
Garry D. Bacalso
(Reporter)

Comment 4

5 years ago
(In reply to Chris DeCairos (:cade) from comment #2)
> Javascript in Thimble is an enabled feature. Any JavaScript running in that
> preview frame is properly sandboxed on a completely different domain than
> webmaker.org, and the behaviour in the attached video is expected.
> 
> Jon/Pomax - wont-fix?

Good Day Webmaster,

Would it be qualified for bug bounty reward webmaster?
Did you see the video that i attached webmaster?


Respectfully yours,
Garry D. Bacalso
Hi Garry,

Execution of script within user content is intentional and by design:

You'll notice that the alerts you popped in your POC are on the mozillathimblelivepreview.net domain - this is a preview domain and is separate from everything on webmaker.org that we might want to protect (session cookies, etc) and so can't be used to launch related-domain attacks. Once content is published, it's also served from a domain unrelated to webmaker.org (for much the same reason).

If you're able to execute script in the context of webmaker.org itself, that would be something of concern.

Thanks for taking the time to get in touch; please keep looking and let us know what else you can find.
(In reply to Chris DeCairos (:cade) from comment #2)
> Jon/Pomax - wont-fix?

I'm not Jon or Pomax but I think so
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
My mistake, it's a duplicate.
Flags: sec-bounty? → sec-bounty-
Keywords: wsec-xss
Resolution: WONTFIX → DUPLICATE
Whiteboard: [site:webmaker.org]
Duplicate of bug: 765340
Flags: sec-review?

Updated

5 years ago
Flags: needinfo?(pomax)
Flags: needinfo?(jon)
(Reporter)

Comment 8

5 years ago
Do i have any reward?
You need to log in before you can comment on or make changes to this bug.