Closed
Bug 1222864
Opened 9 years ago
Closed 9 years ago
Possible Stored XSS on developers.mozilla.org
Categories
(developer.mozilla.org Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: fcuchietti, Assigned: lonnen)
References
Details
(Keywords: sec-high, wsec-xss, Whiteboard: [specification][type:bug])
What did you do? ================ Hello, i have found a possible stored xss on developers.mozilla.org using "data:text/html" with a image. PoC: https://developer.mozilla.org/en-US/docs/Inbox/Hello_Stored_XSS What happened? ============== . What should have happened? ========================== . Is there anything else we should know? ======================================
Comment 1•9 years ago
|
||
Lonnen - This one looks legit (opening the image triggers the xss). Could you get someone from the MDN team to look at it?
Comment 2•9 years ago
|
||
Added to dev Inbox: https://trello.com/c/19LAXu3c/771-bug-1222864 Will discuss at planning here in 10m.
Comment 3•9 years ago
|
||
+mdn staff devs
Comment 4•9 years ago
|
||
Need some more info. I visited the page in a Firefox private browsing window and I don't see a POC - no console output, no pop-up. Didn't see anything on Chrome or Safari either. Does this only happen on the edit page, or the view page? Or am I looking for the wrong POC?
Flags: needinfo?(chris.lonnen)
Comment 5•9 years ago
|
||
(In reply to Luke Crouch [:groovecoder] from comment #4) > Need some more info. I visited the page in a Firefox private browsing window > and I don't see a POC - no console output, no pop-up. Didn't see anything on > Chrome or Safari either. Does this only happen on the edit page, or the view > page? Or am I looking for the wrong POC? The image needs to be clicked before the pop-up appears.
Reporter | ||
Comment 6•9 years ago
|
||
Hi Luke, you need to click on the image so that the XSS run.
Reporter | ||
Comment 7•9 years ago
|
||
Can anyone confirm if this qualifies for a reward? Based on the Bug Bounty Program.
Comment 8•9 years ago
|
||
Bug bounty evaluation happens on a regular basis. It can take a couple of weeks, and I can't tell for sure if it will qualify, but it will definitely be evaluated for it.
Comment 9•9 years ago
|
||
This should be fixed by https://github.com/mozilla/kuma/commit/3809987b2ede1ebdf460cc7052a9de5b188f7253 which was deployed on Wednesday this week.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 10•9 years ago
|
||
Luke, Great fix!
Reporter | ||
Comment 11•9 years ago
|
||
(In reply to Julien Vehent [:ulfr] from comment #8) > Bug bounty evaluation happens on a regular basis. It can take a couple of > weeks, and I can't tell for sure if it will qualify, but it will definitely > be evaluated for it. Having fixed the vulnerability they will know if it is valid for a reward?
Comment 13•9 years ago
|
||
I'll mark it for bounty consideration. In the future, Fabián, please email security@mozilla.org if you want a bug considered for the bounty (per bounty program instructions).
Flags: needinfo?(abillings) → sec-bounty?
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 14•9 years ago
|
||
When I was reviewing this code, I familiarized myself with the OWASP pages on XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet This particular issue wasn't called out, since the focus of the page isn't on wiki-style sites, but the closest sections are: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
Reporter | ||
Comment 15•9 years ago
|
||
Hi, when they are updating the Hall of Fame? Regards.
Comment 16•9 years ago
|
||
(In reply to Fabián Cuchietti from comment #15) > Hi, > > when they are updating the Hall of Fame? > > Regards. Please email questions to security@mozilla.org instead of leaving bug comments if you have questions that aren't related to getting a bug fixed.
Comment 17•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•