Possible Stored XSS on developers.mozilla.org

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: fcuchietti, Assigned: lonnen)

Tracking

(Blocks: 1 bug, {sec-high, wsec-xss})

unspecified
All
Other
sec-high, wsec-xss
Bug Flags:
sec-bounty +

Details

(Whiteboard: [specification][type:bug])

(Reporter)

Description

3 years ago
What did you do?
================
Hello,

i have found a possible stored xss on developers.mozilla.org using "data:text/html" with a image. 

PoC: 

https://developer.mozilla.org/en-US/docs/Inbox/Hello_Stored_XSS

What happened?
==============
.

What should have happened?
==========================
.

Is there anything else we should know?
======================================
Lonnen - This one looks legit (opening the image triggers the xss). Could you get someone from the MDN team to look at it?
Assignee: nobody → chris.lonnen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(chris.lonnen)
Keywords: sec-high, wsec-xss
Added to dev Inbox: https://trello.com/c/19LAXu3c/771-bug-1222864 Will discuss at planning here in 10m.
+mdn staff devs
Need some more info. I visited the page in a Firefox private browsing window and I don't see a POC - no console output, no pop-up. Didn't see anything on Chrome or Safari either. Does this only happen on the edit page, or the view page? Or am I looking for the wrong POC?
Flags: needinfo?(chris.lonnen)
(In reply to Luke Crouch [:groovecoder] from comment #4)
> Need some more info. I visited the page in a Firefox private browsing window
> and I don't see a POC - no console output, no pop-up. Didn't see anything on
> Chrome or Safari either. Does this only happen on the edit page, or the view
> page? Or am I looking for the wrong POC?

The image needs to be clicked before the pop-up appears.
(Reporter)

Comment 6

3 years ago
Hi Luke,

you need to click on the image so that the XSS run.
(Reporter)

Comment 7

3 years ago
Can anyone confirm if this qualifies for a reward? Based on the Bug Bounty Program.
Bug bounty evaluation happens on a regular basis. It can take a couple of weeks, and I can't tell for sure if it will qualify, but it will definitely be evaluated for it.
This should be fixed by https://github.com/mozilla/kuma/commit/3809987b2ede1ebdf460cc7052a9de5b188f7253 which was deployed on Wednesday this week.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 10

3 years ago
Luke,

Great fix!
(Reporter)

Comment 11

3 years ago
(In reply to Julien Vehent [:ulfr] from comment #8)
> Bug bounty evaluation happens on a regular basis. It can take a couple of
> weeks, and I can't tell for sure if it will qualify, but it will definitely
> be evaluated for it.

Having fixed the vulnerability they will know if it is valid for a reward?
needinfo? abillings for sec-bounty?
Flags: needinfo?(abillings)
I'll mark it for bounty consideration. In the future, Fabián, please email security@mozilla.org if you want a bug considered for the bounty (per bounty program instructions).
Flags: needinfo?(abillings) → sec-bounty?
Blocks: 835457
Flags: sec-bounty? → sec-bounty+
See Also: → bug 1225524
(Reporter)

Comment 15

3 years ago
Hi, 

when they are updating the Hall of Fame?

Regards.
(In reply to Fabián Cuchietti from comment #15)
> Hi, 
> 
> when they are updating the Hall of Fame?
> 
> Regards.

Please email questions to security@mozilla.org instead of leaving bug comments if you have questions that aren't related to getting a bug fixed.
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.