Document Title: =============== Mozilla WebMaker - Filter Bypass & Cross Site Vulnerability Date: ===== 2013-07-09 References: =========== http://www.vulnerability-lab.com/get_content.php?id=981 Mozilla Bug ID: 835445 VL-ID: ===== 981 Common Vulnerability Scoring System: ==================================== 3.3 Introduction: ============= Mozilla Webmaker is Mozilla`s educational initiative. Webmaker`s goal is to ``help millions of people move from using the web to making the web.`` As part of Mozilla’s non-profit mission, Webmaker aims ``to help the world increase their understanding of the web, take greater control of their online lives, and create a more web literate planet. Welcome to Webmaker — a Mozilla project dedicated to helping you create something amazing on the web. Our tools, events and learning guides allow webmakers to not only create the content that makes the web great, but — perhaps more importantly — understand how the web works. With this knowledge, we can make a web without limits. That`s the philosophy behind webmaker.org. We`ve built everything so you can remix it. (Copy of the Vendor Homepage: https://webmaker.org/) Abstract: ========= The Vulnerability Laboratory Research Team discovered an input filter bypass and a client side vulnerability in the official Mozilla Webmaker Web Application. Report-Timeline: ================ 2013-06-21: Researcher Notification & Coordination (Ateeq Khan) 2013-06-21: Vendor Notification (Mozilla Security Incident Team) 2013-06-25: Vendor Response/Feedback (Mozilla Security Incident Team) 2013-06-28: Vendor Fix/Patch (Mozilla Developer Team) 2013-07-10: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Mozilla Product: WebMaker Application & Service v2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A reflected XSS vulnerability has been discovered on the main web application of Mozilla Webmaker because it is possible to bypass the current security controls of the web application using a fairly rare technique. During the initial tests, it was noticed that in the search module of the webmaker website has two variables as mentioned below: 1) Type= 2) q= Values of both variables are being reflected on the webpage in the search results normally and the usual malicious script code requests are also being filtered however, using the Javascript Dynamic Array function, it is possible to define the variable `type` multiple times and doing so, makes the application execute in an unexpected way and hence results in successful filter bypass. By adding [] infront of the `type` variable, all filters get bypassed and its possible to inject any malicious script code to execute client side XSS attacks. The researcher was able to use the same variable dynamically to execute multiple payloads at the same time. All step details are mentioned in the POC section of this advisory. Exploitation of this vulnerability requires a non privileged user(attacker) and low user interaction(victim). Successful exploitation of the vulnerability results in user session cookies hijacking, Client Side URL Redirects, Phishing attacks and other similar client side attack vectors. This vulnerability affects all internet users including webmaker users, Thimble and Popcorn users. Vulnerable Service(s): [+] Mozilla Webmaker Website (www.webmaker.org) Vulnerable Module(s): [+] Search Vulnerable Parameter(s): [+] /search/type=[XSS|IVE] Proof of Concept: ================= The refelected XSS vulnerability can be exploited by anyone browsing the internet and using Mozilla Firefox Browser. For demonstration or reproduce ... PoC #1 (Single Payload) 1) https://webmaker.org/search?type[]=``> PoC #2 (Dynamic Javascript Array, Multiple Payloads) 2) https://webmaker.org/search?type[0]=``>&type[1]=``> Source Code Showing injected Iframes for POC: