Closed
Bug 622996
Opened 14 years ago
Closed 13 years ago
Reflected XSS in Special:Tags URL Arg pageID
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Keywords: wsec-xss, Whiteboard: [infrasec:xss][ws:high])
Attachments
(1 file)
402 bytes,
text/plain
|
Details |
This bug was filed on behalf of <ignatio2007@gmail.com> Issue Reflected XSS in https://developer.mozilla.org at the following location: https://developer.mozilla.org/index.php?title=Special:Tags&pageId=234+--%3E%3Cbody%20onload=alert(1)%3E Recommended Remediation 1. Use htmlentity output encoding when returning any data from the URL within the HTTP response. 2. Use input validation to verify the pageID is numeric. If not, throw away the data and display an error
Comment 1•13 years ago
|
||
This bug was also reported by kuzz to security@mozilla.org on 02/08/11 Michael: Do we know who should be contacted to fix this bug? I'm not sure if the developer site code is internal or not but I'll look around.
Reporter | ||
Comment 3•13 years ago
|
||
Luke, I saw you worked on a similar bug for devmo. Can you take this one?
Comment 4•13 years ago
|
||
I can take it on but I know Mindtouch has been really slow and painful accepting patches so I might just raise it to them and we'll go with their patch unless they drag their feet too long. Sound good?
Reporter | ||
Comment 6•13 years ago
|
||
(In reply to comment #4) > I can take it on but I know Mindtouch has been really slow and painful > accepting patches so I might just raise it to them and we'll go with their > patch unless they drag their feet too long. Sound good? That approach sounds fine. Please update us with any info that you get.
Comment 7•13 years ago
|
||
I've got a support ticket in with MindTouch. Hopefully they can give us a patch soon. mcoates, how long are we willing to wait on them before we patch ourselves?
Reporter | ||
Comment 8•13 years ago
|
||
Its been several weeks already. Is the ticket moving along? Do they have a target release date or version for the fix?
Comment 9•13 years ago
|
||
No, MindTouch support is very disappointing. Can't wait to be free of it. If they don't give us something by EOD today I'll fix it myself on Monday.
Updated•13 years ago
|
Assignee: nobody → lcrouch
Updated•13 years ago
|
Target Milestone: --- → 0.9.4
Comment 11•13 years ago
|
||
Updated•13 years ago
|
Assignee: lcrouch → server-ops
Group: mozilla-confidential, mozilla-corporation-confidential
Component: Website → Server Operations
Product: Mozilla Developer Network → mozilla.org
QA Contact: website → mrz
Target Milestone: 0.9.4 → ---
Version: unspecified → other
Comment 12•13 years ago
|
||
need to apply the MindTouch patch file
Updated•13 years ago
|
Assignee: server-ops → phong
Comment 13•13 years ago
|
||
same here https://developer.mozilla.org/index.php?title=Special:Article&type=backlinks&pageid=1928
Comment 16•13 years ago
|
||
I think there are plenty more vulnerabilities in the site eg trivial account-compromising CSRF; https://developer.mozilla.org/Special:Preferences?email=albinowax%40eml.cc But they've probably also been reported already, so I won't waste everyone's time by hunting out&filing bugs for them.
Updated•13 years ago
|
Assignee: phong → jeremy.orem+bugs
Comment 17•13 years ago
|
||
and here is another xss -> developer.mozilla.org/Special:Listusers?matchuser=
Comment 18•13 years ago
|
||
The workflow for closing XSS in the MindTouch pages is really painful: 1. XSS found on developer.mozilla.org 2. Submit bug/support request to MindTouch 3. Wait for MindTouch to verify, fix, and send us a patch (last one took 5-6 days) 4. Apply their patch to our servers (still pending from Apr 5) 5. Verify their patch on our servers 6. Sometimes their patch doesn't work - back to #2 Can we decide criteria for which are the most critical MindTouch XSS vuln's and how we want to fix them?
Comment 19•13 years ago
|
||
What's my action on this bug? Just applying attachment 524085 [details]?
Comment 20•13 years ago
|
||
(In reply to comment #19) > What's my action on this bug? Just applying attachment 524085 [details]? Yeah, apply that attachment and then we'll check the page. In another bug we might want to work out our own security & patch policy for MindTouch since their support process seems really slow and clumsy.
Comment 21•13 years ago
|
||
Is it done? MindTouch is asking about their patch.
Comment 22•13 years ago
|
||
Patched: prod, stage, stage9.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 23•13 years ago
|
||
looks like this patch resolved all the xss listed here
Assignee: jeremy.orem+bugs → mozbugs.retornam
Keywords: qawanted
Comment 24•13 years ago
|
||
looks fixed on staging but I will leave the security team to verify
Keywords: qawanted
Reporter | ||
Comment 25•13 years ago
|
||
Now performing output encoding for < and >. Addresses the issue.
Status: RESOLVED → VERIFIED
Comment 26•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•11 years ago
|
Assignee: mozbugs.retornam → server-ops
Updated•10 years ago
|
Group: websites-security, mozilla-confidential, mozilla-employee-confidential
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•