Whiteboard: stored xss
4 years ago
Component: Developer Tools → General
Product: Firefox → Mozilla Developer Network
Created attachment 8432411 [details] enter this scripts in title enter this script in the title field.
Created attachment 8432413 [details] enter the script in the body enter the script in the body with vector change from 1 to 2. So that we can verify from the pop up that which field is vulnerable.
Created attachment 8432415 [details] submit the changes done and then go to edit option again submit the changes done and then go to edit option again and the vulnerability stored in the title field will give you the popup.
I have provided you with 3 more screenshots and their descriptions. Kindly follow them and you will find the xss as it is stored and the title field is not sanitizing the data. Thanks
I saw the problem. But stop defacing again anything but a test page.
Thanks Umer. Could you add the script in the comments?
Kindly update me with the further details of the validity of the bug and the resolve period time.
Group: mozilla-employee-confidential → websites-security
Keywords: sec-high, wsec-xss
Whiteboard: stored xss → [site:developer.mozilla.org] [reporter-external] stored xss
Status: UNCONFIRMED → NEW
Ever confirmed: true
I was able to reproduce this locally and I have
I have used mozilla firefox 29.0.1 for this.
...traced it back a python method which I don't think is escaping the title properly. The prompting is happening due to JSON output here: https://github.com/mozilla/kuma/blob/master/apps/wiki/templates/wiki/edit_document.html#L200 And I believe we need escaping added here: https://github.com/mozilla/kuma/blob/master/apps/wiki/models.py#L1078
so it is a valid bug and qualifies for a reward after being fixed? please let me know. Thanks
This looks very identical to bug 882108 which was supposed to be fixed by bug 847273 based on comment 13 I think we can close this as a dupe of 882108
(In reply to Umer Shakil from comment #17) > so it is a valid bug and qualifies for a reward after being fixed? please > let me know. > Thanks This site is not officially in our list of eligible sites. If the bug is extraordinary we sometimes offer bounties for interesting bugs which are outside of normal policy. We do appreciate learning about bugs in all of our sites. We publish a list of eligible sites for people who are only interested in bounties and we hope that can help reduce the frustration of wasting time in unfruitful areas. http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
OK I got it. I saw the eligible domains list, The purpose of testing this domain was that i saw mozilla.org on the list and developer.mozilla.org is a sub-domain of mozilla.org . And is it not considered as extraordinary as well? kindly resolve these queries and let me know thanks.
This PR was merged to prevent this issue: https://github.com/mozilla/kuma/pull/2435
Umer - how did you get started testing MDN security? I want to help tell new security testers like you about our MDN dev & stage servers before they test on the production server. :)
I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying bug. The problem is that I'm not sure if there are other instances of passing unescaped json to the templates. I'd figure this should be a highest priority issue.
Luke, as i told you normally sub-domains are also included in the research areas expect those of sandbox domains, i wasnt aware about this domain as I mentioned this earlier. As I found the bug I reported it through the bugzilla. So kindly update me with the further details and the vulnerability is fixed. Thanks
(In reply to Jannis Leidel [:jezdez] from comment #23) > I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying > bug. The problem is that I'm not sure if there are other instances of > passing unescaped json to the templates. I'd figure this should be a highest > priority issue. We ought to periodically audit for 'safe' in any case
(In reply to Umer Shakil from comment #24) I mean - how did you first decide to test MDN for security? Did you go to http://whatcanidoformozilla.org/ or maybe http://mozilla.org/contribute?
@Luke, Sir I went to developer.mozilla.org through the main page of mozilla.org.
What made you want to do security testing on the site? The security bounty program?
Yes the security bounty program, your are right develoeper.mozilla in not in the eligible domain list, but I stared working from mozilla.org. The main mozilla.org gives your four option infront when you open the site: *)share your vision *)try the best firefox yet *)become a webmaker *)Visit the mozilla developer network When somebody is testing a website ofcoarse he go will go for these sub domains or sub pages as well as they are a part of the main page, as testing cant be done of the single title page only and the vulnerabilities does not lie on the single main page we need to see more input value and options as well. This is how I actually went there and reported you. Thanks
Thanks Umer - that's great info. :curtisk - can we update https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to put developer.allizom.org - i.e., the stage server - into the list? That may help us avoid future incidents with security testers accidentally breaking production MDN pages. Not sure how we can preempt security testers who simply navigate to MDN prod from mozilla.org ...
No problem, you can ask for information if needed. I have submitted another xss vulnerability, its a stored one on addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429. Thanks
(In reply to Luke Crouch [:groovecoder] from comment #30) > Thanks Umer - that's great info. > > :curtisk - can we update > https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to > put developer.allizom.org - i.e., the stage server - into the list? That may > help us avoid future incidents with security testers accidentally breaking > production MDN pages. > > Not sure how we can preempt security testers who simply navigate to MDN prod > from mozilla.org ... I'll ask dveditz if we can make that edit as soon as possible
(In reply to Umer Shakil from comment #31) > I have submitted another xss vulnerability, its a stored one on > addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429. Luckily I read this since I'm not working on this bug. A buried bug comment is not how you enter bugs for the bug program -- please mail email@example.com with the bug link. We are sometimes able to catch bugs that were not mailed to us but many times it's not at all clear a bug was submitted for a bounty if you don't. bug 1019429 was not even filed with the security checkbox ticked so it wouldn't even be on our radar.
Daniel Veditz [:dveditz]. I did not mailed as the bug bounty program guided to file a bug through the bugzilla form. Well in this case I have already filed the bug via bugzilla, and as you told I have emailed the report as well. Kindly guide me now, where to track the bug details, via email or via the bugzilla bug 1019429 portal?
Kindly update me with the conclusion when it is done. Thanks
Is this bug fixed? any reward or appreciation for this?
When the bug is fixed it's status will change and you will be able to see that, please do not add comments to the bug that do not add to the issue at hand. If the bug is accepted for sec-bounty flag will change from '?' to '+'. For more information on flags and other bug markings on security bugs see: https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#
Alright thanks for the updates.
(In reply to Umer Shakil from comment #36) > Is this bug fixed? any reward or appreciation for this? As was said earlier, this site is not eligible for the bounty program. Please stick to eligible sites if you wish to receive a bounty for these sorts of issues.
Flags: sec-bounty? → sec-bounty-
Adding all MDN devs to cc list of these security bugs.
I cannot replicate this bug. Here is a sandbox where I pasted the script from comment 11 into every field that would accept it (title and article-source): https://developer.allizom.org/en-US/docs/User:hoosteeno$edit Comment 21 and Comment 23 each include a PR. Both were merged almost a year ago. Is it fixed? Can anyone else reproduce?
I've just attempted to reproduce this issue again and I cannot. We've completed several CKEditor upgrades over the past few months and "on" attributes are no longer allowed in any capacity. I just tested in Firefox, Safari, Chrome, and IE10.
I'm going to resolve WORKSFORME, based on comment 43 and comment 44. Thanks!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.