Closed
Bug 956546
Opened 10 years ago
Closed 10 years ago
Reflected Cross Site Scripting
Categories
(Webmaker Graveyard :: webmaker.org, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 765340
People
(Reporter: codegonetro, Unassigned)
Details
(Keywords: wsec-xss, Whiteboard: [site:webmaker.org] )
Attachments
(1 file)
1.12 MB,
application/zip
|
Details |
Good Day Webmaster, I would like to report a bug of your site webmaster, because i am concern for this site, and to protect the name of your site. I found a 2 time bug to your site. That having bug could a Reflected XSS vulnerable, and it can cause and inserting malicious script to your site. Please do and action with this bug report webmaster. OS: windows 7 Browser: Mozilla Firefox Version 27.0 Respectfully yours, Garry D. Bacalso
Reporter | ||
Updated•10 years ago
|
Flags: sec-review?
Flags: sec-bounty?
Flags: needinfo?
Reporter | ||
Comment 1•10 years ago
|
||
Please see the attached files that i attached. for POC
Comment 2•10 years ago
|
||
Javascript in Thimble is an enabled feature. Any JavaScript running in that preview frame is properly sandboxed on a completely different domain than webmaker.org, and the behaviour in the attached video is expected. Jon/Pomax - wont-fix?
Flags: needinfo?(pomax)
Flags: needinfo?(jon)
Flags: needinfo?
Reporter | ||
Comment 3•10 years ago
|
||
Good Day Webmaster, Would it be qualified for bug bounty reward webmaster? Did you see the video that i attached webmaster? Respectfully yours, Garry D. Bacalso
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Chris DeCairos (:cade) from comment #2) > Javascript in Thimble is an enabled feature. Any JavaScript running in that > preview frame is properly sandboxed on a completely different domain than > webmaker.org, and the behaviour in the attached video is expected. > > Jon/Pomax - wont-fix? Good Day Webmaster, Would it be qualified for bug bounty reward webmaster? Did you see the video that i attached webmaster? Respectfully yours, Garry D. Bacalso
Comment 5•10 years ago
|
||
Hi Garry, Execution of script within user content is intentional and by design: You'll notice that the alerts you popped in your POC are on the mozillathimblelivepreview.net domain - this is a preview domain and is separate from everything on webmaker.org that we might want to protect (session cookies, etc) and so can't be used to launch related-domain attacks. Once content is published, it's also served from a domain unrelated to webmaker.org (for much the same reason). If you're able to execute script in the context of webmaker.org itself, that would be something of concern. Thanks for taking the time to get in touch; please keep looking and let us know what else you can find.
Comment 6•10 years ago
|
||
(In reply to Chris DeCairos (:cade) from comment #2) > Jon/Pomax - wont-fix? I'm not Jon or Pomax but I think so
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Comment 7•10 years ago
|
||
My mistake, it's a duplicate.
Flags: sec-bounty? → sec-bounty-
Keywords: wsec-xss
Resolution: WONTFIX → DUPLICATE
Whiteboard: [site:webmaker.org]
Updated•10 years ago
|
Flags: sec-review?
Updated•10 years ago
|
Flags: needinfo?(pomax)
Flags: needinfo?(jon)
Reporter | ||
Comment 8•10 years ago
|
||
Do i have any reward?
You need to log in
before you can comment on or make changes to this bug.
Description
•