Status

()

defect
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: mayitosj09, Unassigned)

Tracking

27 Branch
x86_64
Windows 8
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140212131424

Steps to reproduce:

1: Download the archive attached
2: Decompress the archive and open the document "Execute First"
3: Click the button that says "click to back home"
Note: Only works with firefox, tested in chrome and internet explorer


Actual results:

Is opened one alert with the xss code
(Reporter)

Comment 1

5 years ago
link of the video: https://www.youtube.com/watch?v=HOiZGO8KViI
This doesn't appear to be a Firefox issue. There is a reflected XSS bug on http://www.futboltotal.com.mx/?s=<XSS HERE>

http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z

The supplied code opens an iframe and changes the location of the parent to the above site passing in a XSS payload in the s parameter. Changing the XSS payload to alert(document.domain) shows that the code is executing on the www.futboltotal.com.mx domain. Unless there is something I'm missing, I will close this bug as INVALID
Flags: needinfo?(mayitosj09)
(Reporter)

Comment 3

5 years ago
Yes, but it only works with firefox, chrome and explorer in it does not, firefox runs automatically without asking you, which does not happen in another browser.
Flags: needinfo?(mayitosj09)
(Reporter)

Comment 4

5 years ago
The link I posted was just an example
The issue appears to be that Firefox doesn't have a XSS filter. I tested on Chrome and there is no alert as mentioned. The console shows

The XSS Auditor refused to execute a script in 'http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 

IE has a similar message for the XSS filter. However, upon disabling the XSS protection, the attack works in chrome as well. I am going to resolve this bug. Please follow up with the owners of futboltotal.com.mx to fix the XSS on their side. See bug 528661 for the current status of the xss filter
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
See Also: → xssfilter
Group: core-security
You need to log in before you can comment on or make changes to this bug.