Closed Bug 505335 Opened 15 years ago Closed 15 years ago

XSS vuln in 'returntotitle' parameter on Special:UserLogin page

Categories

(developer.mozilla.org Graveyard :: General, defect)

defect
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: reed, Assigned: royk)

References

()

Details

(Keywords: wsec-xss)

Found by hyperscan

https://developer.mozilla.org/index.php?title=Special:UserLogin&returntotitle="><script>alert('xss');</script>

	 		<div id="page-top"><div id="pageToc"><div class="pageToc"><h5>Table of contents</h5></div></div><div class="pageText" id="pageText"><div id="pageTypeSpecial"><form method="post" action="/Special:UserLogin" class="user-login"><fieldset><input type="hidden" value="1" name="auth_id" id="hidden-auth_id" autocomplete="off" /><div class="field"><label for="text-username">Username</label> <input type="text" value="" name="username" tabindex="1" size="24" spellcheck="false" class="input-text" id="text-username" autocomplete="off" /><div class="create-account"><a href="/Special:UserRegistration">Create an account</a></div></div><input type="hidden" value=""><script>alert('xss');</script>" name="returntotitle" id="hidden-returntotitle" autocomplete="off" /><div class="field"><label for="password-password">Password</label> <input type="password"  name="password" tabindex="2" size="24" spellcheck="false" class="input-password" id="password-password" autocomplete="off" /><div class="forgot-password"><a href="/Special:UserPassword">Forgot password?</a></div></div><button type="submit" name="deki_buttons[action][login]" value="login" tabindex="3" class="input-button"><span>Login</span></button></form></div></div></div><div class="printfooter" id="printfooter"><hr />

Specifically,

<input type="hidden" value=""><script>alert('xss');</script>" name="returntotitle" id="hidden-returntotitle" autocomplete="off" />
Attachment 389574 [details] [diff] includes a fix for this bug.
Patch resolved the issue.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee: nobody → royk
Blocks: 505301
Verified FIXED.
Status: RESOLVED → VERIFIED
Component: Deki Infrastructure → Other
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.