Document Title:
===============
Mozilla WebMaker - Filter Bypass & Cross Site Vulnerability
Date:
=====
2013-07-09
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=981
Mozilla Bug ID: 835445
VL-ID:
=====
981
Common Vulnerability Scoring System:
====================================
3.3
Introduction:
=============
Mozilla Webmaker is Mozilla`s educational initiative. Webmaker`s goal is to ``help millions of people move from
using the web to making the web.`` As part of Mozilla’s non-profit mission, Webmaker aims ``to help the world increase
their understanding of the web, take greater control of their online lives, and create a more web literate planet.
Welcome to Webmaker — a Mozilla project dedicated to helping you create something amazing on the web. Our tools,
events and learning guides allow webmakers to not only create the content that makes the web great, but — perhaps more
importantly — understand how the web works. With this knowledge, we can make a web without limits. That`s the philosophy
behind webmaker.org. We`ve built everything so you can remix it.
(Copy of the Vendor Homepage: https://webmaker.org/)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered an input filter bypass and a client side vulnerability in the official Mozilla Webmaker Web Application.
Report-Timeline:
================
2013-06-21: Researcher Notification & Coordination (Ateeq Khan)
2013-06-21: Vendor Notification (Mozilla Security Incident Team)
2013-06-25: Vendor Response/Feedback (Mozilla Security Incident Team)
2013-06-28: Vendor Fix/Patch (Mozilla Developer Team)
2013-07-10: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Mozilla
Product: WebMaker Application & Service v2013 Q2
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A reflected XSS vulnerability has been discovered on the main web application of Mozilla Webmaker because it is possible
to bypass the current security controls of the web application using a fairly rare technique. During the initial tests, it
was noticed that in the search module of the webmaker website has two variables as mentioned below:
1) Type=
2) q=
Values of both variables are being reflected on the webpage in the search results normally and the usual malicious script code
requests are also being filtered however, using the Javascript Dynamic Array function, it is possible to define the variable `type`
multiple times and doing so, makes the application execute in an unexpected way and hence results in successful filter bypass.
By adding [] infront of the `type` variable, all filters get bypassed and its possible to inject any malicious script code to execute
client side XSS attacks. The researcher was able to use the same variable dynamically to execute multiple payloads at the same time.
All step details are mentioned in the POC section of this advisory.
Exploitation of this vulnerability requires a non privileged user(attacker) and low user interaction(victim). Successful exploitation
of the vulnerability results in user session cookies hijacking, Client Side URL Redirects, Phishing attacks and other similar client side
attack vectors. This vulnerability affects all internet users including webmaker users, Thimble and Popcorn users.
Vulnerable Service(s):
[+] Mozilla Webmaker Website (www.webmaker.org)
Vulnerable Module(s):
[+] Search
Vulnerable Parameter(s):
[+] /search/type=[XSS|IVE]
Proof of Concept:
=================
The refelected XSS vulnerability can be exploited by anyone browsing the internet and using Mozilla Firefox Browser.
For demonstration or reproduce ...
PoC #1 (Single Payload)
1) https://webmaker.org/search?type[]=``>
PoC #2 (Dynamic Javascript Array, Multiple Payloads)
2) https://webmaker.org/search?type[0]=``>&type[1]=``>
Source Code Showing injected Iframes for POC: