Closed Bug 956546 Opened 10 years ago Closed 10 years ago

Reflected Cross Site Scripting

Categories

(Webmaker Graveyard :: webmaker.org, defect)

Product:
Webmaker Graveyard
Component:
webmaker.org
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 765340

People

(Reporter: codegonetro, Unassigned)

Details

(Keywords: wsec-xss, Whiteboard: [site:webmaker.org] )

Attachments

(1 file)

POC.zip
1.12 MB, application/zip
Details
Attached file POC.zip 
Good Day Webmaster,

 

I would like to report a bug of your site webmaster, because i am concern for this site, 

and to protect the name of your site. 

I found a 2 time bug to your site. That having bug could a Reflected XSS vulnerable, and it can cause and inserting malicious script to your site.

Please do and action with this bug report webmaster.

OS:

windows 7

Browser:
Mozilla Firefox Version 27.0


Respectfully yours,
Garry D. Bacalso
Flags: sec-review?
Flags: sec-bounty?
Flags: needinfo?
Please see the attached files that i attached. for POC
Javascript in Thimble is an enabled feature. Any JavaScript running in that preview frame is properly sandboxed on a completely different domain than webmaker.org, and the behaviour in the attached video is expected.

Jon/Pomax - wont-fix?
Flags: needinfo?(pomax)
Flags: needinfo?(jon)
Flags: needinfo?
Good Day Webmaster,

Would it be qualified for bug bounty reward webmaster?
Did you see the video that i attached webmaster?


Respectfully yours,
Garry D. Bacalso
(In reply to Chris DeCairos (:cade) from comment #2)
> Javascript in Thimble is an enabled feature. Any JavaScript running in that
> preview frame is properly sandboxed on a completely different domain than
> webmaker.org, and the behaviour in the attached video is expected.
> 
> Jon/Pomax - wont-fix?

Good Day Webmaster,

Would it be qualified for bug bounty reward webmaster?
Did you see the video that i attached webmaster?


Respectfully yours,
Garry D. Bacalso
Hi Garry,

Execution of script within user content is intentional and by design:

You'll notice that the alerts you popped in your POC are on the mozillathimblelivepreview.net domain - this is a preview domain and is separate from everything on webmaker.org that we might want to protect (session cookies, etc) and so can't be used to launch related-domain attacks. Once content is published, it's also served from a domain unrelated to webmaker.org (for much the same reason).

If you're able to execute script in the context of webmaker.org itself, that would be something of concern.

Thanks for taking the time to get in touch; please keep looking and let us know what else you can find.
(In reply to Chris DeCairos (:cade) from comment #2)
> Jon/Pomax - wont-fix?

I'm not Jon or Pomax but I think so
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
My mistake, it's a duplicate.
Flags: sec-bounty? → sec-bounty-
Keywords: wsec-xss
Resolution: WONTFIX → DUPLICATE
Whiteboard: [site:webmaker.org]
Flags: sec-review?
Flags: needinfo?(pomax)
Flags: needinfo?(jon)
Do i have any reward?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: