Document Title: =============== Mozilla WebMaker - Filter Bypass & Cross Site Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=981 Mozilla Bug ID: 835445 Release Date: ============= 2013-07-09 Vulnerability Laboratory ID (VL-ID): ==================================== 981 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== Mozilla Webmaker is Mozilla`s educational initiative. Webmaker`s goal is to ``help millions of people move from using the web to making the web.`` As part of Mozilla’s non-profit mission, Webmaker aims ``to help the world increase their understanding of the web, take greater control of their online lives, and create a more web literate planet. Welcome to Webmaker — a Mozilla project dedicated to helping you create something amazing on the web. Our tools, events and learning guides allow webmakers to not only create the content that makes the web great, but — perhaps more importantly — understand how the web works. With this knowledge, we can make a web without limits. That`s the philosophy behind webmaker.org. We`ve built everything so you can remix it. (Copy of the Vendor Homepage: https://webmaker.org/) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an input filter bypass and a client side vulnerability in the official Mozilla Webmaker Web Application. Vulnerability Disclosure Timeline: ================================== 2013-06-21: Researcher Notification & Coordination (Ateeq Khan) 2013-06-21: Vendor Notification (Mozilla Security Incident Team) 2013-06-25: Vendor Response/Feedback (Mozilla Security Incident Team) 2013-06-28: Vendor Fix/Patch (Mozilla Developer Team) 2013-07-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Mozilla Product: WebMaker Application & Service 2013 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ A reflected XSS vulnerability has been discovered on the main web application of Mozilla Webmaker because it is possible to bypass the current security controls of the web application using a fairly rare technique. During the initial tests, it was noticed that in the search module of the webmaker website has two variables as mentioned below: 1) Type= 2) q= Values of both variables are being reflected on the webpage in the search results normally and the usual malicious script code requests are also being filtered however, using the Javascript Dynamic Array function, it is possible to define the variable `type` multiple times and doing so, makes the application execute in an unexpected way and hence results in successful filter bypass. By adding [] infront of the `type` variable, all filters get bypassed and its possible to inject any malicious script code to execute client side XSS attacks. The researcher was able to use the same variable dynamically to execute multiple payloads at the same time. All step details are mentioned in the POC section of this advisory. Exploitation of this vulnerability requires a non privileged user(attacker) and low user interaction(victim). Successful exploitation of the vulnerability results in user session cookies hijacking, Client Side URL Redirects, Phishing attacks and other similar client side attack vectors. This vulnerability affects all internet users including webmaker users, Thimble and Popcorn users. Vulnerable Service(s): [+] Mozilla Webmaker Website (www.webmaker.org) Vulnerable Module(s): [+] Search Vulnerable Parameter(s): [+] /search/type=[XSS|IVE] Proof of Concept (PoC): ======================= The refelected XSS vulnerability can be exploited by anyone browsing the internet and using Mozilla Firefox Browser. For demonstration or reproduce ... PoC #1 (Single Payload) 1) https://webmaker.org/search?type[]=``> PoC #2 (Dynamic Javascript Array, Multiple Payloads) 2) https://webmaker.org/search?type[0]=``>&type[1]=``> Source Code Showing injected Iframes for POC:

What are you looking for?

``> ``>
Solution - Fix & Patch: ======================= Users should not be allowed to define the same variable multiple times because it results in abnormal behaviour of the web application and hence is the root cause for filter bypass in this situation. Proper user input sanatization should be performed on the web app source code end in order to bypass all malicious script code requests. Security Risk: ============== The security risk of the input filter bypass and refelected cross site scripting web vulnerability is estimated as medium(+). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory