Closed
Bug 1151523
Opened 10 years ago
Closed 10 years ago
XSS while editing in MDN
Categories
(developer.mozilla.org :: Security, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: abillings, Assigned: davidwalsh)
Details
(Keywords: reporter-external, sec-high, wsec-xss)
Attachments
(1 file)
967.43 KB,
video/mp4
|
Details |
We've received the following email:
From: Mohamed Khaled <sirmatrixpage@gmail.com>
Date: Fri, Apr 3, 2015 at 10:36 PM
Subject: Security Report
To: security@mozilla.org
Hello Mozilla Team ,
My Name Is Mohamed Khaled [ security researcher ] From Egypt
Type : Cross Site Scripting
About XSS : https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
POC :
1 - Go To [ https://developer.mozilla.org/en-US/docs/ ]
2 - Create New Topic
3 - Add Iframe Xss Code In Source In Editor
4 - Preview Your Code [ XSS Code Pop-up ] Show
In Mail - POC Video
Reporter | ||
Updated•10 years ago
|
Flags: sec-bounty?
Comment 1•10 years ago
|
||
Needinfo anyone from svc websec to pick this up
Flags: needinfo?(yboily)
Flags: needinfo?(sbennetts)
Flags: needinfo?(amuntner)
Comment 2•10 years ago
|
||
:davidwalsh for more input: IIRC we've had these bugs with CKEditor in the past where *it* doesn't escape unsafe HTML?
Flags: needinfo?(dwalsh)
Assignee | ||
Comment 3•10 years ago
|
||
We have had those issues in the past but hadn't seen any pop up recently, and this one is a pattern I hadn't seen before. :/
I could recreate with IE10 and Chrome and the following string:
<iframe src=j	a	v	a	s	c	r	i	p	t	:	a	l	e	r	t	%28		1	%29></iframe>
It never makes it to the document view but does happen when editing the document as well.
I have:
1. Created a ticket for the CKE team: https://dev.ckeditor.com/ticket/13160
2. Contacted the CKE lead developer to escalate the issue.
I'll be looking for ways to prevent the issue ASAP/now
Flags: needinfo?(dwalsh)
Comment 4•10 years ago
|
||
Hello Again ,
When Attacker Use This Form For Exploit XSS , He Can Steel The Victim Cookies
As shown in pictures
Link : http://i.imgur.com/cQ9bLBo.png
Thanks
Updated•10 years ago
|
Flags: needinfo?(sbennetts)
Assignee | ||
Comment 5•10 years ago
|
||
I spoke to the lead developer of CKEditor and we came to the following conclusions:
1. Maybe bleaching on the way in would be good, which I've asserted for a long time.
2. He considers this "not a bug" because (1) we shouldn't be storing XSS issues and (2) iframe src="javascript:;" is valid -- we're only encountering this because it's stored.
In speaking with the dev team, I recommend the following:
1. We disallow <iframe> in the CKEditor. It's begging for trouble, even if we validate domains on the server side.
2. Writers use an {{ iframe() }} macro to create IFRAMEs. That would keep <iframe> out of our CKEditor and would prevent users from being XSS'd.
I'll create a pull request today to disallow IFRAMEs in CKEditor but we need to figure out how to migrate existing docs/revisions to use the macro. Luke, does this sound reasonable? Wanna send meeting invite out for it?
Comment 6•10 years ago
|
||
Hello Again ,
This XSS Bug On CKEditor , We cannot say that it does not exist , The XSS Pop-up Show And When Write
"><img src=x onerror=prompt(document.cookie)> We Can See The cookie By Javascript In Editor
Can Attacker Use Exploit Code When Victim Show Source Code Of Topic
Can Attacker Steel The Victim Cookies
I think that CKEditor don't care subject importance, because it leads to the penetration of most of the way and different
Please review, this may affect in mozilla
Assignee | ||
Comment 7•10 years ago
|
||
First step in the process: https://github.com/mozilla/kuma/pull/3171
Comment 8•10 years ago
|
||
When IFrame Show XSS Pop-up The Exploit Been Succeeded
Updated•10 years ago
|
Flags: needinfo?(amuntner)
Updated•10 years ago
|
Assignee: nobody → dwalsh
Severity: normal → critical
Priority: -- → P1
Comment 9•10 years ago
|
||
Any New News About This Bug ?
Assignee | ||
Comment 10•10 years ago
|
||
Sheppy: Where are we on macaro implementation so we can move forward?
Flags: needinfo?(eshepherd)
Comment 11•10 years ago
|
||
:sheppy - can you update this bug with our efforts to clean up the YouTube iframe content to use the new KS macro so we can close this up on our side of the CKEditor code?
Comment 12•10 years ago
|
||
(In reply to sirmatrixpage from comment #6)
> Can Attacker Use Exploit Code When Victim Show Source Code Of Topic
> Can Attacker Steel The Victim Cookies
The sessionid cookie is http-only so you can't steal the user's session, but while they were still viewing your hijacked page you could modify the site as the user. The site damage is no big deal--like a wiki people can sign up with anonymous enough accounts to vandalize and the community simply has to be able to deal with that. But it could be embarrassing for the user if others believed they really did it.
I can't reproduce on Firefox or Chrome. Did we update the production site with the patch in comment 7?
Comment 13•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #12)
> (In reply to sirmatrixpage from comment #6)
> > Can Attacker Use Exploit Code When Victim Show Source Code Of Topic
> > Can Attacker Steel The Victim Cookies
>
> The sessionid cookie is http-only so you can't steal the user's session, but
> while they were still viewing your hijacked page you could modify the site
> as the user. The site damage is no big deal--like a wiki people can sign up
> with anonymous enough accounts to vandalize and the community simply has to
> be able to deal with that. But it could be embarrassing for the user if
> others believed they really did it.
>
> I can't reproduce on Firefox or Chrome. Did we update the production site
> with the patch in comment 7?
Yes. <iframes> are no longer allowed unless they are inserted by a KumaScript macro.
The YouTube button CKEditor add-on has a second PR pending; once that lands, we will have UX for inserting the macro conveniently.
Flags: needinfo?(eshepherd)
Comment 14•10 years ago
|
||
As in comment 12, I cannot reproduce this on staging. I'm using this as my sandbox:
https://developer.allizom.org/en-US/docs/User:megaman$edit
I am pasting the iframe code from comment 3 into the article-source.
Is this fixed?
Flags: needinfo?(dwalsh)
Assignee | ||
Comment 15•10 years ago
|
||
Yes -- CKEditor no longer allows IFRAMEs of any kind.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(yboily)
Flags: needinfo?(dwalsh)
Resolution: --- → FIXED
Comment 16•10 years ago
|
||
Is will be add me to the hall of fame ?
I hope : )
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 18•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•