# Title: moztrap.mozilla.org URL Redirection Vulnerability # Discovery Date: 15/04/13 | Release Date: 13/06/13 # Author: Junaid Hussain [ illSecure Research Group ] # Contact: illSecResearchGroup@Gmail.com | Website: illSecure.com # Risk: Low -------------------------------------------------------------------------------------- > Introduction: The login page on moztrap.mozilla.org requires a user to login using Mozilla Persona, once a user signs in successfully they are redirected to the page stated in the "?next=" parameter, (Example: https://moztrap.mozilla.org/users/login/?next=/results/runs/) An attacker can change the value of the parameter and redirect moztrap and persona users to malicious sites such as phishing sites or sites with malware. > Example of URL Redirection Vulnerability: https://moztrap.mozilla.org/users/login/?next=http://illsecure.com > Proof Of Concept Video: http://www.youtube.com/watch?v=06N1sWt54qk - Junaid Hussain - http://illSecure.com - Security Is An Illusion -------------------------------------------------------------------------------------- Original: http://www.illsecure.com/2013/06/mozilla-moztrap-url-redirection.html