User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release) Build ID: 20140212131424 Steps to reproduce: 1: Download the archive attached 2: Decompress the archive and open the document "Execute First" 3: Click the button that says "click to back home" Note: Only works with firefox, tested in chrome and internet explorer Actual results: Is opened one alert with the xss code
link of the video: https://www.youtube.com/watch?v=HOiZGO8KViI
This doesn't appear to be a Firefox issue. There is a reflected XSS bug on http://www.futboltotal.com.mx/?s=<XSS HERE> http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z The supplied code opens an iframe and changes the location of the parent to the above site passing in a XSS payload in the s parameter. Changing the XSS payload to alert(document.domain) shows that the code is executing on the www.futboltotal.com.mx domain. Unless there is something I'm missing, I will close this bug as INVALID
Yes, but it only works with firefox, chrome and explorer in it does not, firefox runs automatically without asking you, which does not happen in another browser.
The link I posted was just an example
The issue appears to be that Firefox doesn't have a XSS filter. I tested on Chrome and there is no alert as mentioned. The console shows The XSS Auditor refused to execute a script in 'http://www.futboltotal.com.mx/?s=%3Cimg%20src=z%20onerror=alert%281%29%20z' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. IE has a similar message for the XSS filter. However, upon disabling the XSS protection, the attack works in chrome as well. I am going to resolve this bug. Please follow up with the owners of futboltotal.com.mx to fix the XSS on their side. See bug 528661 for the current status of the xss filter
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
See Also: → xssfilter
You need to log in before you can comment on or make changes to this bug.