Status

developer.mozilla.org
General
--
critical
RESOLVED WORKSFORME
4 years ago
3 years ago

People

(Reporter: Umer Shakil, Unassigned)

Tracking

(Blocks: 1 bug, {sec-high, wsec-xss})

unspecified
Other
Windows 7
sec-high, wsec-xss
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:developer.mozilla.org] [reporter-external] stored xss, URL)

Attachments

(4 attachments)

(Reporter)

Description

4 years ago
Hello Sir,
I am an independent web security researcher currently working on bug bounty program and it is to inform you that your web application is vulnerable to a critical web attack that is cross site scripting (xss). I have provided you the screen shots kindly check them.
Kindly reply me as well. I will be waiting.
Thanks
Following are the details about the vulnerability and the test.

Vulnerable Link:
https://developer.mozilla.org/en-US/docs/Web/JavaScript$edit
(Reporter)

Updated

4 years ago
Whiteboard: stored xss
(Reporter)

Comment 1

4 years ago
Created attachment 8432392 [details]
stored xss
Group: mozilla-employee-confidential
Component: Developer Tools → General
Product: Firefox → Mozilla Developer Network
I've not verified this problem. Neither teoli nor I saw the pop-up.

The page is reverted. Link to original: https://developer.mozilla.org/en-US/docs/Web/JavaScript$revision/611337
(Reporter)

Comment 3

4 years ago
when you will Web/JavaScript edit option, the stored script will give you the pop up as show in the screenshots. I would have explored more but I was banned twice from that page while testing
(Reporter)

Comment 4

4 years ago
Created attachment 8432411 [details]
enter this scripts in title

enter this script in the title field.
(Reporter)

Comment 5

4 years ago
Created attachment 8432413 [details]
enter the script in the body

enter the script in the body with vector change from 1 to 2. So that we can verify from the pop up that which field is vulnerable.
(Reporter)

Comment 6

4 years ago
Created attachment 8432415 [details]
submit the changes done and then go to edit option again

submit the changes done and then go to edit option again and the vulnerability stored in the title field will give you the popup.
(Reporter)

Comment 7

4 years ago
I have provided you with 3 more screenshots and their descriptions. Kindly follow them and you will find the xss as it is stored and the title field is not sanitizing the data.
Thanks
Thank you for your testing. I am reverting the page again, because we have a lot of traffic on this specific landing page. Please use a testing or stage site like https://developer.allizom.org/en-US/docs/Web/JavaScript instead. Thanks!
I saw the problem. But stop defacing again anything but a test page.
Thanks Umer. Could you add the script in the comments?
(Reporter)

Comment 11

4 years ago
My sincere Apologies for testing the main page I was not aware of the testing and the main page. I will use the testing page like https://developer.allizom.org/en-US/docs/Web/JavaScript from nowonwards. Can you please update me with the bug status? or you want me to test again as I have provided you all of the details.
Here is the script used:
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></| \><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1) </script>"><img/id="
\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex 

Thanks,
Umer
(Reporter)

Comment 12

4 years ago
Kindly update me with the further details of the validity of the bug and the resolve period time.
Group: mozilla-employee-confidential → websites-security
Flags: sec-bounty?
Keywords: sec-high, wsec-xss
Whiteboard: stored xss → [site:developer.mozilla.org] [reporter-external] stored xss
(In reply to Umer Shakil from comment #11)
> My sincere Apologies for testing the main page I was not aware of the
> testing and the main page. I will use the testing page like
> https://developer.allizom.org/en-US/docs/Web/JavaScript from nowonwards. 

Hi Umer,

I've had a quick look and I can't reproduce this issue; would you be able to create a page on developer.allizom.org with the payload executing? If there are any particular browser versions needed for the payload to execute, please let me know.

Thanks
Status: UNCONFIRMED → NEW
Ever confirmed: true
I was able to reproduce this locally and I have
(Reporter)

Comment 15

4 years ago
I have used mozilla firefox 29.0.1 for this.
...traced it back a python method which I don't think is escaping the title properly.  

The prompting is happening due to JSON output here:

https://github.com/mozilla/kuma/blob/master/apps/wiki/templates/wiki/edit_document.html#L200

And I believe we need escaping added here:

https://github.com/mozilla/kuma/blob/master/apps/wiki/models.py#L1078
(Reporter)

Comment 17

4 years ago
so it is a valid bug and qualifies for a reward after being fixed? please let me know. 
Thanks
This looks very identical to bug 882108 which was supposed to be fixed by bug 847273 based on comment 13 I think we can close this as a dupe of 882108
(In reply to Umer Shakil from comment #17)
> so it is a valid bug and qualifies for a reward after being fixed? please
> let me know. 
> Thanks


This site is not officially in our list of eligible sites. If the bug is extraordinary we sometimes offer bounties for interesting bugs which are outside of normal policy.

We do appreciate learning about bugs in all of our sites. We publish a list of eligible sites for people who are only interested in bounties and we hope that can help reduce the frustration of wasting time in unfruitful areas.
http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
(Reporter)

Comment 20

4 years ago
OK I got it. I saw the eligible domains list, The purpose of testing this domain was that i saw mozilla.org on the list and developer.mozilla.org is a sub-domain of mozilla.org . And is it not considered as extraordinary as well? kindly resolve these queries and let me know thanks.
This PR was merged to prevent this issue:

https://github.com/mozilla/kuma/pull/2435
Umer - how did you get started testing MDN security?

I want to help tell new security testers like you about our MDN dev & stage servers before they test on the production server. :)
Flags: needinfo?(vergil901)
I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying bug. The problem is that I'm not sure if there are other instances of passing unescaped json to the templates. I'd figure this should be a highest priority issue.
(Reporter)

Comment 24

4 years ago
Luke, as i told you normally sub-domains are also included in the research areas expect those of sandbox domains, i wasnt aware about this domain as I mentioned this earlier. As I found the bug I reported it through the bugzilla. So kindly update me with the further details and the vulnerability is fixed. 
Thanks
Flags: needinfo?(vergil901)
(In reply to Jannis Leidel [:jezdez] from comment #23)
> I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying
> bug. The problem is that I'm not sure if there are other instances of
> passing unescaped json to the templates. I'd figure this should be a highest
> priority issue.

We ought to periodically audit for 'safe' in any case
(In reply to Umer Shakil from comment #24)

I mean - how did you first decide to test MDN for security? Did you go to http://whatcanidoformozilla.org/ or maybe http://mozilla.org/contribute?
(Reporter)

Comment 27

4 years ago
@Luke, Sir I went to developer.mozilla.org through the main page of mozilla.org.
What made you want to do security testing on the site? The security bounty program?
(Reporter)

Comment 29

4 years ago
Yes the security bounty program, your are right develoeper.mozilla in not in the eligible domain list, but I stared working from mozilla.org. The main mozilla.org gives your four option infront when you open the site:
*)share your vision
*)try the best firefox yet
*)become a webmaker
*)Visit the mozilla developer network
When somebody is testing a website ofcoarse he go will go for these sub domains or sub pages as well as they are a part of the main page, as testing cant be done of the single title page only and the vulnerabilities does not lie on the single main page we need to see more input value and options as well. This is how I actually went there and reported you.
Thanks
Thanks Umer - that's great info.

:curtisk - can we update https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to put developer.allizom.org - i.e., the stage server - into the list? That may help us avoid future incidents with security testers accidentally breaking production MDN pages.

Not sure how we can preempt security testers who simply navigate to MDN prod from mozilla.org ...
Flags: needinfo?(curtisk)
(Reporter)

Comment 31

4 years ago
No problem, you can ask for information if needed.
I have submitted another xss vulnerability, its a stored one on addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429.
Thanks
(In reply to Luke Crouch [:groovecoder] from comment #30)
> Thanks Umer - that's great info.
> 
> :curtisk - can we update
> https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to
> put developer.allizom.org - i.e., the stage server - into the list? That may
> help us avoid future incidents with security testers accidentally breaking
> production MDN pages.
> 
> Not sure how we can preempt security testers who simply navigate to MDN prod
> from mozilla.org ...

I'll ask dveditz if we can make that edit as soon as possible
Flags: needinfo?(curtisk)
(In reply to Umer Shakil from comment #31)
> I have submitted another xss vulnerability, its a stored one on
> addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429.

Luckily I read this since I'm not working on this bug. A buried bug comment is not how you enter bugs for the bug program -- please mail security@mozilla.org with the bug link. We are sometimes able to catch bugs that were not mailed to us but many times it's not at all clear a bug was submitted for a bounty if you don't. bug 1019429 was not even filed with the security checkbox ticked so it wouldn't even be on our radar.
(Reporter)

Comment 34

4 years ago
Daniel Veditz [:dveditz]. I did not mailed as the bug bounty program guided to file a bug through the bugzilla form. Well in this case I have already filed the bug via bugzilla, and as you told I have emailed the report as well. Kindly guide me now, where to track the bug details, via email or via the bugzilla bug 1019429 portal?
(Reporter)

Comment 35

4 years ago
Kindly update me with the conclusion when it is done.
Thanks
(Reporter)

Comment 36

4 years ago
Is this bug fixed? any reward or appreciation for this?
When the bug is fixed it's status will change and you will be able to see that, please do not add comments to the bug that do not add to the issue at hand. If the bug is accepted for sec-bounty flag will change from '?' to '+'. For more information on flags and other bug markings on security bugs see: https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#
(Reporter)

Comment 38

4 years ago
Alright thanks for the updates.
Duplicate of this bug: 1018901
(In reply to Umer Shakil from comment #36)
> Is this bug fixed? any reward or appreciation for this?

As was said earlier, this site is not eligible for the bounty program. Please stick to eligible sites if you wish to receive a bounty for these sorts of issues.
Flags: sec-bounty? → sec-bounty-

Updated

4 years ago
Blocks: 835438
Adding all MDN devs to cc list of these security bugs.
I cannot replicate this bug. Here is a sandbox where I pasted the script from comment 11 into every field that would accept it (title and article-source): https://developer.allizom.org/en-US/docs/User:hoosteeno$edit

Comment 21 and Comment 23 each include a PR. Both were merged almost a year ago. Is it fixed? Can anyone else reproduce?
Flags: needinfo?(vergil901)
I've just attempted to reproduce this issue again and I cannot.  We've completed several CKEditor upgrades over the past few months and "on" attributes are no longer allowed in any capacity. I just tested in Firefox, Safari, Chrome, and IE10.
I'm going to resolve WORKSFORME, based on comment 43 and comment 44. Thanks!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(vergil901)
Resolution: --- → WORKSFORME
Group: websites-security
You need to log in before you can comment on or make changes to this bug.