Closed Bug 1035932 Opened 11 years ago Closed 11 years ago

xss via fake .svg file

Categories

(developer.mozilla.org :: Security, defect)

Product:
developer.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: curtisk, Assigned: curtisk)

Details

(Keywords: reporter-external, Whiteboard: [site:developer.mozilla.org][reporter-external])

Attachments

(1 file)

filename.svg (Fake SVG file)
382 bytes, text/plain
Details
Subject: Security Bug XSS in https://developer.mozilla.org/ From: Srikanth Y <nani528goodboy@gmail.com> To: security@mozilla.org -----//------ Hi , The site https://developer.mozilla.org/en/ is subject to a cross-site scripting vulnerability.For more information on cross-site scripting vulnerability check https://www.owasp.org/index.php/XSS The value of a generic parameter was not sufficiently sanitised before being written to a block of Javascript code. An attacker could distribute a malicious URL that would trigger this vulnerability and potentially steal session cookies,redirect the user to a malicious URL or download malware onto their machine. Effected URL : https://developer.mozilla.org/en/docs/HTML$edit Steps to Reproduce : 1. login into the url https://developer.mozilla.org/en/docs/HTML$edit with valid creds 2.goto below we found that attach files option , this will allow the .svg files so I wrote a code simple poc like this <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 50,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> confirm(document.domain); </script> </svg> save this as filename.svg 3. Then upload this document in the attachments and visit the attachment url ie like https://mdn.mozillademos.org/files/8092/filename.svg 4. we can share that malicious url to any one, 5. IN my case I uploaded the xss.svg file here https://mdn.mozillademos.org/files/8091/xss.svg you can visit we get a confirm box. Just visit the below poc links in mozilla POC S LInks: https://mdn.mozillademos.org/files/8091/xss.svg For fixing this : Proper output encoding,sanitizing js,blacklist malicious JS.Enable http only cookies.This might help https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet . Would be glad to get some bounty from you in return for this bug :) Screenshots attached Thanks & Regards Srikanth
Flags: sec-bounty?
Whiteboard: [site:developer.mozilla.org][reporter-external][verif?]
Assignee: nobody → curtisk
This is an XSS on mozillademos, which can execute arbitrary JS just so we don't pollute MDN.
+1 :freddyb - mozillademos.org was set up as a separate domain to mitigate the security risks of displaying user-uploaded files. So as I understand it, this is either a non-issue, or a very low-risk issue because we put no sensitive information on mozillademos.org.
It's a non-issue then: Executing scripts on a sandbox for scripts is desired :-)
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Whiteboard: [site:developer.mozilla.org][reporter-external][verif?] → [site:developer.mozilla.org][reporter-external]
Flags: sec-bounty? → sec-bounty-
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: