Closed Bug 1222864 Opened 10 years ago Closed 10 years ago

Possible Stored XSS on developers.mozilla.org

Categories

(developer.mozilla.org Graveyard :: General, defect)

Product:
developer.mozilla.org Graveyard
Component:
General
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: fcuchietti, Assigned: lonnen)

References

Details

(Keywords: reporter-external, sec-high, wsec-xss, Whiteboard: [specification][type:bug])

What did you do? ================ Hello, i have found a possible stored xss on developers.mozilla.org using "data:text/html" with a image. PoC: https://developer.mozilla.org/en-US/docs/Inbox/Hello_Stored_XSS What happened? ============== . What should have happened? ========================== . Is there anything else we should know? ======================================
Lonnen - This one looks legit (opening the image triggers the xss). Could you get someone from the MDN team to look at it?
Assignee: nobody → chris.lonnen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(chris.lonnen)
Keywords: sec-high, wsec-xss
Added to dev Inbox: https://trello.com/c/19LAXu3c/771-bug-1222864 Will discuss at planning here in 10m.
+mdn staff devs
Need some more info. I visited the page in a Firefox private browsing window and I don't see a POC - no console output, no pop-up. Didn't see anything on Chrome or Safari either. Does this only happen on the edit page, or the view page? Or am I looking for the wrong POC?
Flags: needinfo?(chris.lonnen)
(In reply to Luke Crouch [:groovecoder] from comment #4) > Need some more info. I visited the page in a Firefox private browsing window > and I don't see a POC - no console output, no pop-up. Didn't see anything on > Chrome or Safari either. Does this only happen on the edit page, or the view > page? Or am I looking for the wrong POC? The image needs to be clicked before the pop-up appears.
Hi Luke, you need to click on the image so that the XSS run.
Can anyone confirm if this qualifies for a reward? Based on the Bug Bounty Program.
Bug bounty evaluation happens on a regular basis. It can take a couple of weeks, and I can't tell for sure if it will qualify, but it will definitely be evaluated for it.
This should be fixed by https://github.com/mozilla/kuma/commit/3809987b2ede1ebdf460cc7052a9de5b188f7253 which was deployed on Wednesday this week.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Luke, Great fix!
(In reply to Julien Vehent [:ulfr] from comment #8) > Bug bounty evaluation happens on a regular basis. It can take a couple of > weeks, and I can't tell for sure if it will qualify, but it will definitely > be evaluated for it. Having fixed the vulnerability they will know if it is valid for a reward?
needinfo? abillings for sec-bounty?
Flags: needinfo?(abillings)
I'll mark it for bounty consideration. In the future, Fabián, please email security@mozilla.org if you want a bug considered for the bounty (per bounty program instructions).
Flags: needinfo?(abillings) → sec-bounty?
Flags: sec-bounty? → sec-bounty+
See Also: → 1225524
Hi, when they are updating the Hall of Fame? Regards.
(In reply to Fabián Cuchietti from comment #15) > Hi, > > when they are updating the Hall of Fame? > > Regards. Please email questions to security@mozilla.org instead of leaving bug comments if you have questions that aren't related to getting a bug fixed.
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.