Closed Bug 1151523 Opened 9 years ago Closed 9 years ago

XSS while editing in MDN

Categories

(developer.mozilla.org :: Security, defect, P1)

Product:
developer.mozilla.org
Component:
Security
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: abillings, Assigned: davidwalsh)

Details

(Keywords: sec-high, wsec-xss)

Attachments

(1 file)

POC video
967.43 KB, video/mp4
Details
Attached video POC video 
We've received the following email:

From: Mohamed Khaled <sirmatrixpage@gmail.com>
Date: Fri, Apr 3, 2015 at 10:36 PM
Subject: Security Report
To: security@mozilla.org

Hello Mozilla Team , 

My Name Is Mohamed Khaled [ security researcher ] From Egypt 

Type : Cross Site Scripting 

About XSS : https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

POC : 

1 - Go To [ https://developer.mozilla.org/en-US/docs/ ] 
2 - Create New Topic 
3 - Add Iframe Xss Code In Source In Editor 
4 - Preview Your Code [ XSS Code Pop-up ] Show 

In Mail - POC Video
Flags: sec-bounty?
Needinfo anyone from svc websec to pick this up
Flags: needinfo?(yboily)
Flags: needinfo?(sbennetts)
Flags: needinfo?(amuntner)
:davidwalsh for more input: IIRC we've had these bugs with CKEditor in the past where *it* doesn't escape unsafe HTML?
Flags: needinfo?(dwalsh)
We have had those issues in the past but hadn't seen any pop up recently, and this one is a pattern I hadn't seen before.  :/

I could recreate with IE10 and Chrome and the following string:

<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:&Tab;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;&Tab;1&Tab;%29></iframe>

It never makes it to the document view but does happen when editing the document as well.

I have:

1.  Created a ticket for the CKE team:  https://dev.ckeditor.com/ticket/13160
2.  Contacted the CKE lead developer to escalate the issue.

I'll be looking for ways to prevent the issue ASAP/now
Flags: needinfo?(dwalsh)
Hello Again , 

When Attacker Use This Form For Exploit XSS , He Can Steel The Victim Cookies

As shown in pictures

Link  : http://i.imgur.com/cQ9bLBo.png

Thanks
Flags: needinfo?(sbennetts)
I spoke to the lead developer of CKEditor and we came to the following conclusions:

1.  Maybe bleaching on the way in would be good, which I've asserted for a long time.

2.  He considers this "not a bug" because (1) we shouldn't be storing XSS issues and (2) iframe src="javascript:;" is valid -- we're only encountering this because it's stored.

In speaking with the dev team, I recommend the following:

1.  We disallow <iframe> in the CKEditor.  It's begging for trouble, even if we validate domains on the server side.

2.  Writers use an {{ iframe() }} macro to create IFRAMEs.  That would keep <iframe> out of our CKEditor and would prevent users from being XSS'd. 

I'll create a pull request today to disallow IFRAMEs in CKEditor but we need to figure out how to migrate existing docs/revisions to use the macro.  Luke, does this sound reasonable?  Wanna send meeting invite out for it?
Hello Again , 

This XSS Bug On CKEditor , We cannot say that it does not exist , The XSS Pop-up Show And When Write
"><img src=x onerror=prompt(document.cookie)> We Can See The cookie By Javascript In Editor 


Can Attacker Use Exploit Code When Victim Show Source Code Of Topic 
Can Attacker Steel The Victim Cookies 

I think that CKEditor don't care subject importance, because it leads to the penetration of most of the way and different

Please review, this may affect in mozilla
First step in the process:  https://github.com/mozilla/kuma/pull/3171
When IFrame Show XSS Pop-up The Exploit Been Succeeded
Flags: needinfo?(amuntner)
Assignee: nobody → dwalsh
Severity: normal → critical
Priority: -- → P1
Any New News About This Bug ?
Sheppy:  Where are we on macaro implementation so we can move forward?
Flags: needinfo?(eshepherd)
:sheppy - can you update this bug with our efforts to clean up the YouTube iframe content to use the new KS macro so we can close this up on our side of the CKEditor code?
(In reply to sirmatrixpage from comment #6)
> Can Attacker Use Exploit Code When Victim Show Source Code Of Topic 
> Can Attacker Steel The Victim Cookies 

The sessionid cookie is http-only so you can't steal the user's session, but while they were still viewing your hijacked page you could modify the site as the user. The site damage is no big deal--like a wiki people can sign up with anonymous enough accounts to vandalize and the community simply has to be able to deal with that. But it could be embarrassing for the user if others believed they really did it.

I can't reproduce on Firefox or Chrome. Did we update the production site with the patch in comment 7?
(In reply to Daniel Veditz [:dveditz] from comment #12)
> (In reply to sirmatrixpage from comment #6)
> > Can Attacker Use Exploit Code When Victim Show Source Code Of Topic 
> > Can Attacker Steel The Victim Cookies 
> 
> The sessionid cookie is http-only so you can't steal the user's session, but
> while they were still viewing your hijacked page you could modify the site
> as the user. The site damage is no big deal--like a wiki people can sign up
> with anonymous enough accounts to vandalize and the community simply has to
> be able to deal with that. But it could be embarrassing for the user if
> others believed they really did it.
> 
> I can't reproduce on Firefox or Chrome. Did we update the production site
> with the patch in comment 7?

Yes. <iframes> are no longer allowed unless they are inserted by a KumaScript macro.

The YouTube button CKEditor add-on has a second PR pending; once that lands, we will have UX for inserting the macro conveniently.
Flags: needinfo?(eshepherd)
As in comment 12, I cannot reproduce this on staging. I'm using this as my sandbox:

https://developer.allizom.org/en-US/docs/User:megaman$edit

I am pasting the iframe code from comment 3 into the article-source.

Is this fixed?
Flags: needinfo?(dwalsh)
Yes -- CKEditor no longer allows IFRAMEs of any kind.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(yboily)
Flags: needinfo?(dwalsh)
Resolution: --- → FIXED
Is will be add me to the hall of fame ?
I hope : )
Flags: needinfo?(dwalsh)
Keywords: sec-high, wsec-xss
:dveditz  :  What's up?
Flags: needinfo?(dwalsh)
Flags: sec-bounty? → sec-bounty+
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: