Wednesday, January 13, 2016

Persistent XSS in Mozilla Add-Ons Site

I do not know how but somehow I ends up on Mozilla's add-ons site. The site provides logged-in user an option or feature to create collections. According to Mozilla, "collections are group of similar add-ons that anyone can create and share". The collections are publicly view-able because site provides a unique URL per collection. The site has a form (available here) having fields like Name, Description and the add-ons for the creation of collection. The Name field of the collection form was vulnerable to a stored XSS. 

I created a collection having a Name "xxxxxxxx'yyyyy</img in order to see the behavior of site regarding special characters in the Name. The collection can be seen here: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/xxxxxxxx-yyyyy-img/. The screen-shot shows the reflection of our interest i.e., as a part of <title> tag. One can see in the screen-shot that < is not encoded or filtered in an HTML context i.e., <title> tag around the reflection of probe string. 


For XSSing, when you're in <title> tag and < is not encoded or filtered then by simply closing the title tag prematurely with the help of </title> does the job for you and after that one can execute JavaScript code of his or her choice.  The payload I used for XSS looks like </title><svg/onload=confirm(document.domain)//. The screen-shot shows the persistent XSS. The URL where it can be seen at that time (before fixed is deployed) is: https://addons.mozilla.org/en-US/firefox/collections/soaj1664/a-img-src-1-gif-onerror-alert/. The stored XSS is now fixed. Isn't it that simple :)


I filed a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1235190) on 26-12-2015 and it was fixed on 07-01-2016. Mozilla awarded me 2500$ for this persistent XSS that can be used to serve malware, malicious campaign or drive by download. I was informed that soon Mozilla will release a notice/advisory here: https://www.mozilla.org/en-US/security/advisories/.

Further I found two more XSSes (low profile) i.e., one in Mozilla add-on (https://addons.mozilla.org/en-US/firefox/) and one in Mozilla Support site (https://support.mozilla.org/en-US/). The XSSes are not yet fixed and I will update this post once fixed will be deployed for these two XSSes. The XSSes are now fixed.

1) Self-XSS in Edit Review Feature of Mozilla Add-on Site: The bug can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1237967 and deployed fix information can be seen here:

2) Self-XSS in Mozilla Support Mobile Site's Main Search Bar: The reported bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1238252 and the deployed fix can be seen here: https://github.com/mozilla/kitsune/commit/8eefb30593013e1fb69ed4b4724ef5d457e020bf

46 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Feel the power really a great work Sir !!
    Wish I can also do these things :(

    ReplyDelete
  3. All latest updates for rrb result 2016 can visit the official rrb answer key 2016 website. There are links for rrb answer key and also for rrb result. Once you have checked your reet result 2016 you will be able to check reet result also. These are various portals reet result 2016 and here are the links for ctet result 2016 are here

    ReplyDelete

  4. I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly
    sharing with us that awesome article you have amazing blog.....
    SAP Success Factors Training In Hyderabad

    ReplyDelete
  5. RRB Result held the different different type of post exam ASM,Good Guard, TA,SC,CA,JAA.

    ReplyDelete
  6. RRB NtpC Result Declared very soon pupil check Result

    ReplyDelete
  7. I was lucky enough to get a chance to go on set today to see the ATOM suit up close in person. This was probably one of the coolest and definitely proudest concept I've ever done.
    RRB NTPC Results

    RRB NTPC Cut Off Marks

    RRB NTPC Result 2016

    RRB NTPC Cut Off Marks 2016

    ReplyDelete
  8. its really informative article and i love to read your article please keep sharing such a useful articles Result 2017, Exam Result 2017

    ReplyDelete
  9. On the off chance that you have antivirus firewall programming introduced on your PC framework, you will have relative certainty that your PC will be secured from infections, and also appreciate firewall insurance. http://how-to-remove.org/malware/browser-hijacker-removal/easyopenweb-com-removal/

    ReplyDelete
  10. Nice details for upcoming HBSE 10th Result 2017 presenting here. Download HBSE 12th Result 2017 as possible after releases.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. ATTEZIONE ESTREMA AD AVVOCATO PEDOFILO INCULA BAMBINI DANIELE MINOTTI (FACEBOOK)! NOTISSIMO AVVOCATO PEDOFILO INCULA BAMBINI DANIELE MINOTTI DI RAPALLO E GENOVA! E' SUA LA SETTA DI SATANISTI STUPRA BAMBINI CON DENTRO IL REGISTA, PURE PEDOFILO, GIUSEPPE LAZZARI (ARRESTATO), LA NOTA PEDOFILA TANTO QUANTO, ANSELMA DELL'OLIO ( CHE, COME VEDRETE IN UN VIDEO QUI A SEGUITO, DA' DEL GENIO AL SUO COMPARE DI ORGE SATANICHE, DEPRAVATE E PERVERTITISSIME: GIUSEPPE LAZZARI). ED IL, NOTORIAMENTE, DA SEMPRE PEDERASTA, GIULIANO FERRARA!
    1
    LO HANNO BECCATO UN'ALTRA VOLTA A STO SCHIFOSO SATANISTA, ANZI, A STO SATANAZISTA PEDOFILO DI DANIELE MINOTTI, AVVOCATO CRIMINALISSIMO DI RAPALLO E GENOVA (
    Sede di Rapallo (GE)
    Via della Libertà, 4/10 – 16035 RAPALLO (GE)
    Tel. +39 0185 57880
    Fax +39 010 91 63 11 54
    Sede di Genova
    Via XX Settembre 3/13 16121 – GENOVA)
    CHE EFFETTUA ANCHE, DA SEMPRE, TANTISSIMO RICICLAGGIO DI DENARO MAFIOSO, COME ROVINA O TERMINA LA VITA DI GENTE PER BENISSIMO (ANCHE ORDINANDO OMICIDI), ATTRAVERSO COMPLOTTI MASSO-N-AZIFASCISTI, OSSIA, DI LOGGE SATANICHE DI ESTREMISSIMA DESTRA. STO VERME SCHIFOSO DI DANIELE MINOTTI FACEVA PARTE DI UNA SETTA DI PEDERASTA BERLUSCONIANI. IL CUI KAPO', E' OVVIAMENTE, IL PEDOFILO MAXIMO, IL SUO CAROGNESCO MANDANTE DI MILLE CRIMINALITA' E STALKING VIA WEB, METASTASI DI DEMOCRAZIA E GIUSTIZIA: SILVIO BERLUSCONI.
    http://www.huffingtonpost.it/2015/03/26/intervista-gianni-boncompagni_n_6945522.html
    http://www.giornalettismo.com/archives/104797/berlusconi-pedofilo-mafioso/
    DI CUI IL NUMERO DUE E' IL SACCO STRA COLMO DI ESCREMENTI, NOTISSIMO PEDOFILOMOSESSUALE TANTO QUANTO, GIULIANO FERRARA ( LUI STESSO CONSIGLIA IL FARSI SODOMIZZARE, QUI
    http://www.blitzquotidiano.it/politica-italiana/giuliano-ferrara-omosessualita-giochetto-consiglio-contro-natura-1483446/).
    VOLETE ALTRE PROVE? ECCOLE QUA. IAMM BELL, IA'! LA, INVECE LEI, NOTA LESBICA, ZOCCOLONA MOGLIE DI GIULIANO FERRARA, ANSELMA DELL'OLIO ( PEDOFILISSIMA ANCHE LEI, SPESSO IN ORGE LESBO CON POCO PIU' CHE BAMBINE), IN QUESTO VIDEO CHE SEGUE
    http://video.corriere.it/sesso-11enne-arrestato-regista-giuseppe-lazzari-l-intervista-rai/4287e44c-5e41-11e6-bfed-33aa6b5e1635
    DAVA DEL GENIO AL SODOMIZZA BIMBI ( COME I SUOI COMPARI SATANISTI E SATANAZISTI DANIELE MINOTTI, GIULIANO FERRARA ED IL GIA' TRE VOLTE IN GALERA PAOLO BARRAI, NATO A MILANO IL 28.6.1965, DI CRIMINALISSIMA WORLD MAN OPPORTUNITIES LUGANO E WMO SA PANAMA), L' APPENA ARRESTATO PER PEDOFILIA: REGISTA GIUSEPPE LAZZARI ( PEDOFILO E NON PER NIENTE, DA SEMPRE BERLUSCONIANISSIMO... OO CHE CASO, OO)!!!
    http://brescia.corriere.it/notizie/cronaca/16_agosto_11/pedofilia-arrestato-regista-bresciano-giuseppe-lazzari-5e4ca24a-5fb2-11e6-bfed-33aa6b5e1635.shtml

    ReplyDelete
  14. 2
    CHE FACEVA SESSO CON UN BAMBINO DI 11 ANNI A RAVENNA. COME AVRETE NOTATO NEL VIDEO, LA PEDOFILA TANTO QUANTO, ANSELMA DELL'OLIO, DAVA DEL GENIO AL SUO COMPARE PEDERASTA GIUSEPPE LAZZARI. IN QUANTO PARTE DELLA STESSA SETTA SATANISTA E PEDOFILESCA DI SILVIO BERLUSCONI, GIULIANO FERRARA, PAOLO BARRAI DI CRIMINALISSIMA WORLD MAN OPPORTUINITES LUGANO ED IL CITATO NOTO AVVOCATO SODOMIZZA BAMBINI: DANIELE MINOTTI DI GENOVA E RAPALLO, PURE AGENTE SEGRETO IN COPERTO, DI TIPO ASSASSINO. SI, ASSASSINO, PER OVRA E GESTAPO PUBBLICHE E PRIVATE DI SILVIO BERLUSCONI ( VOLETE PROVE ED INIDIZI? IAMM BELL, IA'....GUARDATE QUESTI LINKS, PLEASE.... GUARDATE COME STO PEDERASTA INCULA BAMBINI DI DANIELE MINOTTI, AVVOCATO CRIMINALISSIMO DI RAPALLO E GENOVA, SEMPRE DIFENDA SUOI DEPRAVATI "COLLEGHI", OSSIA VOMITEVOLI PEDOFILOMOSESSUALI COME LUI
    http://www.lettera43.it/cronaca/adescava-minorenni-sul-web-miltare-a-processo_43675123449.htm
    http://genova.repubblica.it/cronaca/2014/02/26/news/sesso_virtuale_in_cambio_di_soldi_per_videogame-79717213/
    http://www.ansa.it/liguria/notizie/2014/06/20/adescava-minori-sul-web-condannato_36c57304-90aa-4c7f-8463-c7d610ed10dd.html
    http://iltirreno.gelocal.it/massa/cronaca/2013/04/19/news/casolare-a-luci-rosse-il-pm-7-anni-e-mezzo-all-ex-dipendente-nca-1.6917147
    E QUI A SEGUITO, LEGGETE, SEMPRE, PLEASE, LA TESTIMONIANZA DI STEFAN CUMESCU, CHE DA BAMBINO FU STUPRATO, FU SODOMIZZATO A SANGUE, FU SODOMIZZATO A MORTE, DAL BASTARDO NAZIPEDERASTA DANIELE MINOTTI, MASSONE NEO PIDUISTA, AVVOCATO DI MAFIOSI E CRIMINALI DI OGNI, DI GENOVA E RAPALLO
    http://www.devsuperpage.com/search/Articles.aspx?hl=en&G=10&ArtID=1908142&KeyWords= ).

    ED ECCO DUE TESTI CHE CHIARISCONO QUANTO IL REPELLENTE PEDOFILO INCULA BAMBINI, DANIELE MINOTTI STESSO, DA SEMPRE, RICICLI PURE SOLDI ASSASSINI DI COSA NOSTRA, CAMORRA E NDRANGHETA! A GO GO!

    http://grokbase.com/t/python/python-list/148jckyh1w/avvocato-pedofilomosessuale-ed-assassino-daniele-minotti-facebook-oltre-che-nazi-megalava-euro-mafiosi-e-come-detto-mandante-di-omicidi-o-suicidate-stalker-di-eroe-civile-michele-nista-su-ordine-di-tiranno-fasciocamorrista-silvio-berlusconi
    http://anti-matrix.org/Convert/Articles_Conspiracy/Conspiracy/Conspiracy-Selected-Articles-140730152020.html


    PRESTO SCRIVEREMO TANTO, MA DAVVERO TANTO, GIORNO E NOTTE, A TURNO, PER DECENNI E DECENNI, GLI INTERI TESTI, (A) DEL POVERO EX BAMBINO STEFAN CUMESCU, SODOMIZZATO QUASI A MORTE, DAL VERMINOSO BASTARDO PEDOFILO AVVOCATO DANIELE MINOTTI DI RAPALLO, E (B) DI COME LO STESSO RICICLI CASH ASSASSINO, DI COSA NOSTRA, CAMORRA E NDRANGHETA DA SEMPRE!!!

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. Looking for professional hacking services, with confidentiality and little to no trace?
    Conact Us for consultation

    electronicshub@consultant.com
    Or Visit Our Website below to get more details on our websites and see blacklisted hackers

    wmark0690.wixsite.com/cryptech

    ReplyDelete
  17. The Railway Recruitment Board (RRB) is now going to announces notification for RPF Recruitment 2017 soon, Check our more details about RPF Recruitment 2017 from here.

    ReplyDelete

Note: Only a member of this blog may post a comment.