Closed Bug 1018869 Opened 10 years ago Closed 9 years ago

cross site scripting

Categories

(developer.mozilla.org Graveyard :: General, defect)

Product:
developer.mozilla.org Graveyard
Component:
General
Platform:
Other
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: vergil901, Unassigned)

References

(
URL
)

Details

(Keywords: sec-high, wsec-xss, Whiteboard: [site:developer.mozilla.org] [reporter-external] stored xss)

Attachments

(4 files)

stored xss
438.65 KB, image/png
Details
enter this scripts in title
140.83 KB, image/png
Details
enter the script in the body
114.51 KB, image/png
Details
submit the changes done and then go to edit option again
272.32 KB, image/png
Details 
Hello Sir,
I am an independent web security researcher currently working on bug bounty program and it is to inform you that your web application is vulnerable to a critical web attack that is cross site scripting (xss). I have provided you the screen shots kindly check them.
Kindly reply me as well. I will be waiting.
Thanks
Following are the details about the vulnerability and the test.

Vulnerable Link:
https://developer.mozilla.org/en-US/docs/Web/JavaScript$edit
URL: https://developer.mozilla.org/en-US/d...
Whiteboard: stored xss
Attached image stored xss 
Group: mozilla-employee-confidential
Component: Developer Tools → General
Product: Firefox → Mozilla Developer Network

    
    

    
  
I've not verified this problem. Neither teoli nor I saw the pop-up.

The page is reverted. Link to original: https://developer.mozilla.org/en-US/docs/Web/JavaScript$revision/611337

    
    

    
  
when you will Web/JavaScript edit option, the stored script will give you the pop up as show in the screenshots. I would have explored more but I was banned twice from that page while testing

    
    

    
  


  
enter this script in the title field.

    
    

    
  


  
enter the script in the body with vector change from 1 to 2. So that we can verify from the pop up that which field is vulnerable.

    
    

    
  


  
submit the changes done and then go to edit option again and the vulnerability stored in the title field will give you the popup.

    
    

    
  
I have provided you with 3 more screenshots and their descriptions. Kindly follow them and you will find the xss as it is stored and the title field is not sanitizing the data.
Thanks

    
    

    
  
Thank you for your testing. I am reverting the page again, because we have a lot of traffic on this specific landing page. Please use a testing or stage site like https://developer.allizom.org/en-US/docs/Web/JavaScript instead. Thanks!

    
    

    
  
I saw the problem. But stop defacing again anything but a test page.

    
    

    
  
Thanks Umer. Could you add the script in the comments?

    
    

    
  
My sincere Apologies for testing the main page I was not aware of the testing and the main page. I will use the testing page like https://developer.allizom.org/en-US/docs/Web/JavaScript from nowonwards. Can you please update me with the bug status? or you want me to test again as I have provided you all of the details.
Here is the script used:
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></| \><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1) </script>"><img/id="
\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex 

Thanks,
Umer

    
    

    
  
Kindly update me with the further details of the validity of the bug and the resolve period time.
Group: mozilla-employee-confidential → websites-security
Flags: sec-bounty?
Keywords: sec-high, 
          
            wsec-xss
Whiteboard: stored xss → [site:developer.mozilla.org] [reporter-external] stored xss

    
    

    
  
(In reply to Umer Shakil from comment #11)
> My sincere Apologies for testing the main page I was not aware of the
> testing and the main page. I will use the testing page like
> https://developer.allizom.org/en-US/docs/Web/JavaScript from nowonwards. 

Hi Umer,

I've had a quick look and I can't reproduce this issue; would you be able to create a page on developer.allizom.org with the payload executing? If there are any particular browser versions needed for the payload to execute, please let me know.

Thanks
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
I was able to reproduce this locally and I have

    
    

    
  
I have used mozilla firefox 29.0.1 for this.

    
    

    
  
...traced it back a python method which I don't think is escaping the title properly.  

The prompting is happening due to JSON output here:

https://github.com/mozilla/kuma/blob/master/apps/wiki/templates/wiki/edit_document.html#L200

And I believe we need escaping added here:

https://github.com/mozilla/kuma/blob/master/apps/wiki/models.py#L1078

    
    

    
  
so it is a valid bug and qualifies for a reward after being fixed? please let me know. 
Thanks

    
    

    
  
This looks very identical to bug 882108 which was supposed to be fixed by bug 847273 based on comment 13 I think we can close this as a dupe of 882108

    
    

    
  
(In reply to Umer Shakil from comment #17)
> so it is a valid bug and qualifies for a reward after being fixed? please
> let me know. 
> Thanks


This site is not officially in our list of eligible sites. If the bug is extraordinary we sometimes offer bounties for interesting bugs which are outside of normal policy.

We do appreciate learning about bugs in all of our sites. We publish a list of eligible sites for people who are only interested in bounties and we hope that can help reduce the frustration of wasting time in unfruitful areas.
http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs

    
    

    
  
OK I got it. I saw the eligible domains list, The purpose of testing this domain was that i saw mozilla.org on the list and developer.mozilla.org is a sub-domain of mozilla.org . And is it not considered as extraordinary as well? kindly resolve these queries and let me know thanks.

    
    

    
  
This PR was merged to prevent this issue:

https://github.com/mozilla/kuma/pull/2435

    
    

    
  
Umer - how did you get started testing MDN security?

I want to help tell new security testers like you about our MDN dev & stage servers before they test on the production server. :)
Flags: needinfo?(vergil901)

    
    

    
  
I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying bug. The problem is that I'm not sure if there are other instances of passing unescaped json to the templates. I'd figure this should be a highest priority issue.

    
    

    
  
Luke, as i told you normally sub-domains are also included in the research areas expect those of sandbox domains, i wasnt aware about this domain as I mentioned this earlier. As I found the bug I reported it through the bugzilla. So kindly update me with the further details and the vulnerability is fixed. 
Thanks
Flags: needinfo?(vergil901)

    
    

    
  
(In reply to Jannis Leidel [:jezdez] from comment #23)
> I've opened https://github.com/mozilla/kuma/pull/2442 to fix the underlying
> bug. The problem is that I'm not sure if there are other instances of
> passing unescaped json to the templates. I'd figure this should be a highest
> priority issue.

We ought to periodically audit for 'safe' in any case

    
    

    
  
(In reply to Umer Shakil from comment #24)

I mean - how did you first decide to test MDN for security? Did you go to http://whatcanidoformozilla.org/ or maybe http://mozilla.org/contribute?

    
    

    
  
@Luke, Sir I went to developer.mozilla.org through the main page of mozilla.org.

    
    

    
  
What made you want to do security testing on the site? The security bounty program?

    
    

    
  
Yes the security bounty program, your are right develoeper.mozilla in not in the eligible domain list, but I stared working from mozilla.org. The main mozilla.org gives your four option infront when you open the site:
*)share your vision
*)try the best firefox yet
*)become a webmaker
*)Visit the mozilla developer network
When somebody is testing a website ofcoarse he go will go for these sub domains or sub pages as well as they are a part of the main page, as testing cant be done of the single title page only and the vulnerabilities does not lie on the single main page we need to see more input value and options as well. This is how I actually went there and reported you.
Thanks

    
    

    
  
Thanks Umer - that's great info.

:curtisk - can we update https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to put developer.allizom.org - i.e., the stage server - into the list? That may help us avoid future incidents with security testers accidentally breaking production MDN pages.

Not sure how we can preempt security testers who simply navigate to MDN prod from mozilla.org ...
Flags: needinfo?(curtisk)

    
    

    
  
No problem, you can ask for information if needed.
I have submitted another xss vulnerability, its a stored one on addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429.
Thanks

    
    

    
  
(In reply to Luke Crouch [:groovecoder] from comment #30)
> Thanks Umer - that's great info.
> 
> :curtisk - can we update
> https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs to
> put developer.allizom.org - i.e., the stage server - into the list? That may
> help us avoid future incidents with security testers accidentally breaking
> production MDN pages.
> 
> Not sure how we can preempt security testers who simply navigate to MDN prod
> from mozilla.org ...

I'll ask dveditz if we can make that edit as soon as possible
Flags: needinfo?(curtisk)

    
    

    
  
(In reply to Umer Shakil from comment #31)
> I have submitted another xss vulnerability, its a stored one on
> addons.mozilla.org. I am waiting for a reply. The Bug number is 1019429.

Luckily I read this since I'm not working on this bug. A buried bug comment is not how you enter bugs for the bug program -- please mail security@mozilla.org with the bug link. We are sometimes able to catch bugs that were not mailed to us but many times it's not at all clear a bug was submitted for a bounty if you don't. bug 1019429 was not even filed with the security checkbox ticked so it wouldn't even be on our radar.

    
    

    
  
Daniel Veditz [:dveditz]. I did not mailed as the bug bounty program guided to file a bug through the bugzilla form. Well in this case I have already filed the bug via bugzilla, and as you told I have emailed the report as well. Kindly guide me now, where to track the bug details, via email or via the bugzilla bug 1019429 portal?

    
    

    
  
Kindly update me with the conclusion when it is done.
Thanks

    
    

    
  
Is this bug fixed? any reward or appreciation for this?

    
    

    
  
When the bug is fixed it's status will change and you will be able to see that, please do not add comments to the bug that do not add to the issue at hand. If the bug is accepted for sec-bounty flag will change from '?' to '+'. For more information on flags and other bug markings on security bugs see: https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings#

    
    

    
  
Alright thanks for the updates.

    
    

    
  
(In reply to Umer Shakil from comment #36)
> Is this bug fixed? any reward or appreciation for this?

As was said earlier, this site is not eligible for the bounty program. Please stick to eligible sites if you wish to receive a bounty for these sorts of issues.
Flags: sec-bounty? → sec-bounty-

    
    

    
  
Adding all MDN devs to cc list of these security bugs.

    
    

    
  
I cannot replicate this bug. Here is a sandbox where I pasted the script from comment 11 into every field that would accept it (title and article-source): https://developer.allizom.org/en-US/docs/User:hoosteeno$edit

Comment 21 and Comment 23 each include a PR. Both were merged almost a year ago. Is it fixed? Can anyone else reproduce?
Flags: needinfo?(vergil901)

    
    

    
  
I've just attempted to reproduce this issue again and I cannot.  We've completed several CKEditor upgrades over the past few months and "on" attributes are no longer allowed in any capacity. I just tested in Firefox, Safari, Chrome, and IE10.

    
    

    
  
I'm going to resolve WORKSFORME, based on comment 43 and comment 44. Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(vergil901)
Resolution: --- → WORKSFORME
Group: websites-security

    
  
Product: developer.mozilla.org → developer.mozilla.org Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: