Closed
Bug 1018869
Opened 10 years ago
Closed 9 years ago
cross site scripting
Categories
(developer.mozilla.org Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: vergil901, Unassigned)
References
()
Details
(Keywords: sec-high, wsec-xss, Whiteboard: [site:developer.mozilla.org] [reporter-external] stored xss)
Attachments
(4 files)
Hello Sir, I am an independent web security researcher currently working on bug bounty program and it is to inform you that your web application is vulnerable to a critical web attack that is cross site scripting (xss). I have provided you the screen shots kindly check them. Kindly reply me as well. I will be waiting. Thanks Following are the details about the vulnerability and the test. Vulnerable Link: https://developer.mozilla.org/en-US/docs/Web/JavaScript$edit
Reporter | ||
Updated•10 years ago
|
Whiteboard: stored xss
Reporter | ||
Comment 1•10 years ago
|
||
Updated•10 years ago
|
Group: mozilla-employee-confidential
Component: Developer Tools → General
Product: Firefox → Mozilla Developer Network
Comment 2•10 years ago
|
||
I've not verified this problem. Neither teoli nor I saw the pop-up. The page is reverted. Link to original: https://developer.mozilla.org/en-US/docs/Web/JavaScript$revision/611337
Reporter | ||
Comment 3•10 years ago
|
||
when you will Web/JavaScript edit option, the stored script will give you the pop up as show in the screenshots. I would have explored more but I was banned twice from that page while testing
Reporter | ||
Comment 4•10 years ago
|
||
enter this script in the title field.
Reporter | ||
Comment 5•10 years ago
|
||
enter the script in the body with vector change from 1 to 2. So that we can verify from the pop up that which field is vulnerable.
Reporter | ||
Comment 6•10 years ago
|
||
submit the changes done and then go to edit option again and the vulnerability stored in the title field will give you the popup.
Reporter | ||
Comment 7•10 years ago
|
||
I have provided you with 3 more screenshots and their descriptions. Kindly follow them and you will find the xss as it is stored and the title field is not sanitizing the data. Thanks
Comment 8•10 years ago
|
||
Thank you for your testing. I am reverting the page again, because we have a lot of traffic on this specific landing page. Please use a testing or stage site like https://developer.allizom.org/en-US/docs/Web/JavaScript instead. Thanks!
Comment 9•10 years ago
|
||
I saw the problem. But stop defacing again anything but a test page.
Comment 10•10 years ago
|
||
Thanks Umer. Could you add the script in the comments?
Reporter | ||
Comment 11•10 years ago
|
||
My sincere Apologies for testing the main page I was not aware of the testing and the main page. I will use the testing page like https://developer.allizom.org/en-US/docs/Web/JavaScript from nowonwards. Can you please update me with the bug status? or you want me to test again as I have provided you all of the details. Here is the script used: '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></| \><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1) </script>"><img/id=" \><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex Thanks, Umer
Reporter | ||
Comment 12•10 years ago
|
||
Kindly update me with the further details of the validity of the bug and the resolve period time.
Updated•10 years ago
|
Comment 13•10 years ago
|
||
(In reply to Umer Shakil from comment #11) > My sincere Apologies for testing the main page I was not aware of the > testing and the main page. I will use the testing page like > https://developer.allizom.org/en-US/docs/Web/JavaScript from nowonwards. Hi Umer, I've had a quick look and I can't reproduce this issue; would you be able to create a page on developer.allizom.org with the payload executing? If there are any particular browser versions needed for the payload to execute, please let me know. Thanks
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 14•10 years ago
|
||
I was able to reproduce this locally and I have
Reporter | ||
Comment 15•10 years ago
|
||
I have used mozilla firefox 29.0.1 for this.
Comment 16•10 years ago
|
||
...traced it back a python method which I don't think is escaping the title properly. The prompting is happening due to JSON output here: https://github.com/mozilla/kuma/blob/master/apps/wiki/templates/wiki/edit_document.html#L200 And I believe we need escaping added here: https://github.com/mozilla/kuma/blob/master/apps/wiki/models.py#L1078
Reporter | ||
Comment 17•10 years ago
|
||
so it is a valid bug and qualifies for a reward after being fixed? please let me know. Thanks
This looks very identical to bug 882108 which was supposed to be fixed by bug 847273 based on comment 13 I think we can close this as a dupe of 882108
(In reply to Umer Shakil from comment #17) > so it is a valid bug and qualifies for a reward after being fixed? please > let me know. > Thanks This site is not officially in our list of eligible sites. If the bug is extraordinary we sometimes offer bounties for interesting bugs which are outside of normal policy. We do appreciate learning about bugs in all of our sites. We publish a list of eligible sites for people who are only interested in bounties and we hope that can help reduce the frustration of wasting time in unfruitful areas. http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Reporter | ||
Comment 20•10 years ago
|
||
OK I got it. I saw the eligible domains list, The purpose of testing this domain was that i saw mozilla.org on the list and developer.mozilla.org is a sub-domain of mozilla.org . And is it not considered as extraordinary as well? kindly resolve these queries and let me know thanks.
Comment 21•10 years ago
|
||
This PR was merged to prevent this issue: https://github.com/mozilla/kuma/pull/2435
Comment 22•10 years ago
|
||
Umer - how did you get started testing MDN security? I want to help tell new security testers like you about our MDN dev & stage servers before they test on the production server. :)
Flags: needinfo?(vergil901)
Comment 23•10 years ago
|
||
I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying bug. The problem is that I'm not sure if there are other instances of passing unescaped json to the templates. I'd figure this should be a highest priority issue.
Reporter | ||
Comment 24•10 years ago
|
||
Luke, as i told you normally sub-domains are also included in the research areas expect those of sandbox domains, i wasnt aware about this domain as I mentioned this earlier. As I found the bug I reported it through the bugzilla. So kindly update me with the further details and the vulnerability is fixed. Thanks
Flags: needinfo?(vergil901)
Comment 25•10 years ago
|
||
(In reply to Jannis Leidel [:jezdez] from comment #23) > I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying > bug. The problem is that I'm not sure if there are other instances of > passing unescaped json to the templates. I'd figure this should be a highest > priority issue. We ought to periodically audit for 'safe' in any case
Comment 26•10 years ago
|
||
(In reply to Umer Shakil from comment #24) I mean - how did you first decide to test MDN for security? Did you go to http://whatcanidoformozilla.org/ or maybe http://mozilla.org/contribute?
Reporter | ||
Comment 27•10 years ago
|
||
@Luke, Sir I went to developer.mozilla.org through the main page of mozilla.org.
Comment 28•10 years ago
|
||
What made you want to do security testing on the site? The security bounty program?
Reporter | ||
Comment 29•10 years ago
|
||
Yes the security bounty program, your are right develoeper.mozilla in not in the eligible domain list, but I stared working from mozilla.org. The main mozilla.org gives your four option infront when you open the site: *)share your vision *)try the best firefox yet *)become a webmaker *)Visit the mozilla developer network When somebody is testing a website ofcoarse he go will go for these sub domains or sub pages as well as they are a part of the main page, as testing cant be done of the single title page only and the vulnerabilities does not lie on the single main page we need to see more input value and options as well. This is how I actually went there and reported you. Thanks
Comment 30•10 years ago
|
||
Thanks Umer - that's great info. :curtisk - can we update https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to put developer.allizom.org - i.e., the stage server - into the list? That may help us avoid future incidents with security testers accidentally breaking production MDN pages. Not sure how we can preempt security testers who simply navigate to MDN prod from mozilla.org ...
Flags: needinfo?(curtisk)
Reporter | ||
Comment 31•10 years ago
|
||
No problem, you can ask for information if needed. I have submitted another xss vulnerability, its a stored one on addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429. Thanks
(In reply to Luke Crouch [:groovecoder] from comment #30) > Thanks Umer - that's great info. > > :curtisk - can we update > https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to > put developer.allizom.org - i.e., the stage server - into the list? That may > help us avoid future incidents with security testers accidentally breaking > production MDN pages. > > Not sure how we can preempt security testers who simply navigate to MDN prod > from mozilla.org ... I'll ask dveditz if we can make that edit as soon as possible
Flags: needinfo?(curtisk)
Comment 33•10 years ago
|
||
(In reply to Umer Shakil from comment #31) > I have submitted another xss vulnerability, its a stored one on > addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429. Luckily I read this since I'm not working on this bug. A buried bug comment is not how you enter bugs for the bug program -- please mail security@mozilla.org with the bug link. We are sometimes able to catch bugs that were not mailed to us but many times it's not at all clear a bug was submitted for a bounty if you don't. bug 1019429 was not even filed with the security checkbox ticked so it wouldn't even be on our radar.
Reporter | ||
Comment 34•10 years ago
|
||
Daniel Veditz [:dveditz]. I did not mailed as the bug bounty program guided to file a bug through the bugzilla form. Well in this case I have already filed the bug via bugzilla, and as you told I have emailed the report as well. Kindly guide me now, where to track the bug details, via email or via the bugzilla bug 1019429 portal?
Reporter | ||
Comment 35•10 years ago
|
||
Kindly update me with the conclusion when it is done. Thanks
Reporter | ||
Comment 36•10 years ago
|
||
Is this bug fixed? any reward or appreciation for this?
When the bug is fixed it's status will change and you will be able to see that, please do not add comments to the bug that do not add to the issue at hand. If the bug is accepted for sec-bounty flag will change from '?' to '+'. For more information on flags and other bug markings on security bugs see: https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#
Reporter | ||
Comment 38•10 years ago
|
||
Alright thanks for the updates.
Comment 40•10 years ago
|
||
(In reply to Umer Shakil from comment #36) > Is this bug fixed? any reward or appreciation for this? As was said earlier, this site is not eligible for the bounty program. Please stick to eligible sites if you wish to receive a bounty for these sorts of issues.
Flags: sec-bounty? → sec-bounty-
Comment 42•10 years ago
|
||
Adding all MDN devs to cc list of these security bugs.
Comment 43•9 years ago
|
||
I cannot replicate this bug. Here is a sandbox where I pasted the script from comment 11 into every field that would accept it (title and article-source): https://developer.allizom.org/en-US/docs/User:hoosteeno$edit Comment 21 and Comment 23 each include a PR. Both were merged almost a year ago. Is it fixed? Can anyone else reproduce?
Flags: needinfo?(vergil901)
Comment 44•9 years ago
|
||
I've just attempted to reproduce this issue again and I cannot. We've completed several CKEditor upgrades over the past few months and "on" attributes are no longer allowed in any capacity. I just tested in Firefox, Safari, Chrome, and IE10.
Comment 45•9 years ago
|
||
I'm going to resolve WORKSFORME, based on comment 43 and comment 44. Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(vergil901)
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: websites-security
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•