What did you do? ================ Hello, i have found a possible stored xss on developers.mozilla.org using "data:text/html" with a image. PoC: https://developer.mozilla.org/en-US/docs/Inbox/Hello_Stored_XSS What happened? ============== . What should have happened? ========================== . Is there anything else we should know? ======================================
Lonnen - This one looks legit (opening the image triggers the xss). Could you get someone from the MDN team to look at it?
Assignee: nobody → chris.lonnen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: sec-high, wsec-xss
Added to dev Inbox: https://trello.com/c/19LAXu3c/771-bug-1222864 Will discuss at planning here in 10m.
+mdn staff devs
Need some more info. I visited the page in a Firefox private browsing window and I don't see a POC - no console output, no pop-up. Didn't see anything on Chrome or Safari either. Does this only happen on the edit page, or the view page? Or am I looking for the wrong POC?
(In reply to Luke Crouch [:groovecoder] from comment #4) > Need some more info. I visited the page in a Firefox private browsing window > and I don't see a POC - no console output, no pop-up. Didn't see anything on > Chrome or Safari either. Does this only happen on the edit page, or the view > page? Or am I looking for the wrong POC? The image needs to be clicked before the pop-up appears.
Hi Luke, you need to click on the image so that the XSS run.
Can anyone confirm if this qualifies for a reward? Based on the Bug Bounty Program.
Bug bounty evaluation happens on a regular basis. It can take a couple of weeks, and I can't tell for sure if it will qualify, but it will definitely be evaluated for it.
This should be fixed by https://github.com/mozilla/kuma/commit/3809987b2ede1ebdf460cc7052a9de5b188f7253 which was deployed on Wednesday this week.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Luke, Great fix!
(In reply to Julien Vehent [:ulfr] from comment #8) > Bug bounty evaluation happens on a regular basis. It can take a couple of > weeks, and I can't tell for sure if it will qualify, but it will definitely > be evaluated for it. Having fixed the vulnerability they will know if it is valid for a reward?
needinfo? abillings for sec-bounty?
I'll mark it for bounty consideration. In the future, Fabián, please email firstname.lastname@example.org if you want a bug considered for the bounty (per bounty program instructions).
Flags: needinfo?(abillings) → sec-bounty?
When I was reviewing this code, I familiarized myself with the OWASP pages on XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet This particular issue wasn't called out, since the focus of the page isn't on wiki-style sites, but the closest sections are: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
Hi, when they are updating the Hall of Fame? Regards.
(In reply to Fabián Cuchietti from comment #15) > Hi, > > when they are updating the Hall of Fame? > > Regards. Please email questions to email@example.com instead of leaving bug comments if you have questions that aren't related to getting a bug fixed.
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
You need to log in before you can comment on or make changes to this bug.