Closed Bug 1222864 Opened 9 years ago Closed 9 years ago

Possible Stored XSS on developers.mozilla.org

Categories

(developer.mozilla.org Graveyard :: General, defect)

Product:
developer.mozilla.org Graveyard
Component:
General
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: fcuchietti, Assigned: lonnen)

References

Details

(Keywords: sec-high, wsec-xss, Whiteboard: [specification][type:bug]) 

What did you do?
================
Hello,

i have found a possible stored xss on developers.mozilla.org using "data:text/html" with a image. 

PoC: 

https://developer.mozilla.org/en-US/docs/Inbox/Hello_Stored_XSS

What happened?
==============
.

What should have happened?
==========================
.

Is there anything else we should know?
======================================
Lonnen - This one looks legit (opening the image triggers the xss). Could you get someone from the MDN team to look at it?
Assignee: nobody → chris.lonnen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(chris.lonnen)
Keywords: sec-high, wsec-xss
Added to dev Inbox: https://trello.com/c/19LAXu3c/771-bug-1222864 Will discuss at planning here in 10m.
+mdn staff devs
Need some more info. I visited the page in a Firefox private browsing window and I don't see a POC - no console output, no pop-up. Didn't see anything on Chrome or Safari either. Does this only happen on the edit page, or the view page? Or am I looking for the wrong POC?
Flags: needinfo?(chris.lonnen)
(In reply to Luke Crouch [:groovecoder] from comment #4)
> Need some more info. I visited the page in a Firefox private browsing window
> and I don't see a POC - no console output, no pop-up. Didn't see anything on
> Chrome or Safari either. Does this only happen on the edit page, or the view
> page? Or am I looking for the wrong POC?

The image needs to be clicked before the pop-up appears.
Hi Luke,

you need to click on the image so that the XSS run.
Can anyone confirm if this qualifies for a reward? Based on the Bug Bounty Program.
Bug bounty evaluation happens on a regular basis. It can take a couple of weeks, and I can't tell for sure if it will qualify, but it will definitely be evaluated for it.
This should be fixed by https://github.com/mozilla/kuma/commit/3809987b2ede1ebdf460cc7052a9de5b188f7253 which was deployed on Wednesday this week.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Luke,

Great fix!
(In reply to Julien Vehent [:ulfr] from comment #8)
> Bug bounty evaluation happens on a regular basis. It can take a couple of
> weeks, and I can't tell for sure if it will qualify, but it will definitely
> be evaluated for it.

Having fixed the vulnerability they will know if it is valid for a reward?
needinfo? abillings for sec-bounty?
Flags: needinfo?(abillings)
I'll mark it for bounty consideration. In the future, Fabián, please email security@mozilla.org if you want a bug considered for the bounty (per bounty program instructions).
Flags: needinfo?(abillings) → sec-bounty?
Flags: sec-bounty? → sec-bounty+
See Also: → 1225524
Hi, 

when they are updating the Hall of Fame?

Regards.
(In reply to Fabián Cuchietti from comment #15)
> Hi, 
> 
> when they are updating the Hall of Fame?
> 
> Regards.

Please email questions to security@mozilla.org instead of leaving bug comments if you have questions that aren't related to getting a bug fixed.
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.