Wednesday, January 13, 2016

Persistent XSS in Mozilla Add-Ons Site

I do not know how but somehow I ends up on Mozilla's add-ons site. The site provides logged-in user an option or feature to create collections. According to Mozilla, "collections are group of similar add-ons that anyone can create and share". The collections are publicly view-able because site provides a unique URL per collection. The site has a form (available here) having fields like Name, Description and the add-ons for the creation of collection. The Name field of the collection form was vulnerable to a stored XSS. 

I created a collection having a Name "xxxxxxxx'yyyyy</img in order to see the behavior of site regarding special characters in the Name. The collection can be seen here: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/xxxxxxxx-yyyyy-img/. The screen-shot shows the reflection of our interest i.e., as a part of <title> tag. One can see in the screen-shot that < is not encoded or filtered in an HTML context i.e., <title> tag around the reflection of probe string. 


For XSSing, when you're in <title> tag and < is not encoded or filtered then by simply closing the title tag prematurely with the help of </title> does the job for you and after that one can execute JavaScript code of his or her choice.  The payload I used for XSS looks like </title><svg/onload=confirm(document.domain)//. The screen-shot shows the persistent XSS. The URL where it can be seen at that time (before fixed is deployed) is: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/a-img-src-1-gif-onerror-alert/. The stored XSS is now fixed. Isn't it that simple :)


I filed a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1235190) on 26-12-2015 and it was fixed on 07-01-2016. Mozilla awarded me 2500$ for this persistent XSS that can be used to serve malware, malicious campaign or drive by download. I was informed that soon Mozilla will release a notice/advisory here: https://www.mozilla.org/en-US/security/advisories/.

Further I found two more XSSes (low profile) i.e., one in Mozilla add-on (https://addons.mozilla.org/en-US/firefox/) and one in Mozilla Support site (https://support.mozilla.org/en-US/). The XSSes are not yet fixed and I will update this post once fixed will be deployed for these two XSSes. The XSSes are now fixed.

1) Self-XSS in Edit Review Feature of Mozilla Add-on Site: The bug can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237967 and deployed fix information can be seen here:

2) Self-XSS in Mozilla Support Mobile Site's Main Search Bar: The reported bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1238252 and the deployed fix can be seen here: https://github.com/mozilla/kitsune/commit/8eefb30593013e1fb69ed4b4724ef5d457e020bf

27 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Feel the power really a great work Sir !!
    Wish I can also do these things :(

    ReplyDelete
  3. All latest updates for rrb result 2016 can visit the official rrb answer key 2016 website. There are links for rrb answer key and also for rrb result. Once you have checked your reet result 2016 you will be able to check reet result also. These are various portals reet result 2016 and here are the links for ctet result 2016 are here

    ReplyDelete

  4. I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly
    sharing with us that awesome article you have amazing blog.....
    SAP Success Factors Training In Hyderabad

    ReplyDelete
  5. RRB NtpC Result Declared very soon pupil check Result

    ReplyDelete
  6. its really informative article and i love to read your article please keep sharing such a useful articles Result 2017, Exam Result 2017

    ReplyDelete
  7. On the off chance that you have antivirus firewall programming introduced on your PC framework, you will have relative certainty that your PC will be secured from infections, and also appreciate firewall insurance. http://how-to-remove.org/malware/browser-hijacker-removal/easyopenweb-com-removal/

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. 2
    CHE FACEVA SESSO CON UN BAMBINO DI 11 ANNI A RAVENNA. COME AVRETE NOTATO NEL VIDEO, LA PEDOFILA TANTO QUANTO, ANSELMA DELL'OLIO, DAVA DEL GENIO AL SUO COMPARE PEDERASTA GIUSEPPE LAZZARI. IN QUANTO PARTE DELLA STESSA SETTA SATANISTA E PEDOFILESCA DI SILVIO BERLUSCONI, GIULIANO FERRARA, PAOLO BARRAI DI CRIMINALISSIMA WORLD MAN OPPORTUINITES LUGANO ED IL CITATO NOTO AVVOCATO SODOMIZZA BAMBINI: DANIELE MINOTTI DI GENOVA E RAPALLO, PURE AGENTE SEGRETO IN COPERTO, DI TIPO ASSASSINO. SI, ASSASSINO, PER OVRA E GESTAPO PUBBLICHE E PRIVATE DI SILVIO BERLUSCONI ( VOLETE PROVE ED INIDIZI? IAMM BELL, IA'....GUARDATE QUESTI LINKS, PLEASE.... GUARDATE COME STO PEDERASTA INCULA BAMBINI DI DANIELE MINOTTI, AVVOCATO CRIMINALISSIMO DI RAPALLO E GENOVA, SEMPRE DIFENDA SUOI DEPRAVATI "COLLEGHI", OSSIA VOMITEVOLI PEDOFILOMOSESSUALI COME LUI
    http://www.lettera43.it/cronaca/adescava-minorenni-sul-web-miltare-a-processo_43675123449.htm
    http://genova.repubblica.it/cronaca/2014/02/26/news/sesso_virtuale_in_cambio_di_soldi_per_videogame-79717213/
    http://www.ansa.it/liguria/notizie/2014/06/20/adescava-minori-sul-web-condannato_36c57304-90aa-4c7f-8463-c7d610ed10dd.html
    http://iltirreno.gelocal.it/massa/cronaca/2013/04/19/news/casolare-a-luci-rosse-il-pm-7-anni-e-mezzo-all-ex-dipendente-nca-1.6917147
    E QUI A SEGUITO, LEGGETE, SEMPRE, PLEASE, LA TESTIMONIANZA DI STEFAN CUMESCU, CHE DA BAMBINO FU STUPRATO, FU SODOMIZZATO A SANGUE, FU SODOMIZZATO A MORTE, DAL BASTARDO NAZIPEDERASTA DANIELE MINOTTI, MASSONE NEO PIDUISTA, AVVOCATO DI MAFIOSI E CRIMINALI DI OGNI, DI GENOVA E RAPALLO
    http://www.devsuperpage.com/search/Articles.aspx?hl=en&G=10&ArtID=1908142&KeyWords= ).

    ED ECCO DUE TESTI CHE CHIARISCONO QUANTO IL REPELLENTE PEDOFILO INCULA BAMBINI, DANIELE MINOTTI STESSO, DA SEMPRE, RICICLI PURE SOLDI ASSASSINI DI COSA NOSTRA, CAMORRA E NDRANGHETA! A GO GO!

    http://grokbase.com/t/python/python-list/148jckyh1w/avvocato-pedofilomosessuale-ed-assassino-daniele-minotti-facebook-oltre-che-nazi-megalava-euro-mafiosi-e-come-detto-mandante-di-omicidi-o-suicidate-stalker-di-eroe-civile-michele-nista-su-ordine-di-tiranno-fasciocamorrista-silvio-berlusconi
    http://anti-matrix.org/Convert/Articles_Conspiracy/Conspiracy/Conspiracy-Selected-Articles-140730152020.html


    PRESTO SCRIVEREMO TANTO, MA DAVVERO TANTO, GIORNO E NOTTE, A TURNO, PER DECENNI E DECENNI, GLI INTERI TESTI, (A) DEL POVERO EX BAMBINO STEFAN CUMESCU, SODOMIZZATO QUASI A MORTE, DAL VERMINOSO BASTARDO PEDOFILO AVVOCATO DANIELE MINOTTI DI RAPALLO, E (B) DI COME LO STESSO RICICLI CASH ASSASSINO, DI COSA NOSTRA, CAMORRA E NDRANGHETA DA SEMPRE!!!

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Looking for professional hacking services, with confidentiality and little to no trace?
    Conact Us for consultation

    electronicshub@consultant.com
    Or Visit Our Website below to get more details on our websites and see blacklisted hackers

    wmark0690.wixsite.com/cryptech

    ReplyDelete

Note: Only a member of this blog may post a comment.