XSS at developer.mozilla.org Special:Tags

RESOLVED FIXED

Status

RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: dveditz, Unassigned)

Tracking

({wsec-xss})

Details

(URL)

(Reporter)

Description

10 years ago
Report on XSSed.com from "pRaLe" http://www.xssed.com/mirror/49004/

Xss problem on the Special:Tags search page
  http://developer.mozilla.org/Special:Tags?tag=%22/%3E%3Cscript%3Ealert(String.fromCharCode(88,%2083,%2083))%3C/script%3E

or http://developer.mozilla.org/Special:Tags?tag="/><script>alert(String.fromCharCode(88,%2083,%2083))</script>

We need to check other pages, too. If this is a problem in Deki Wiki generically we should inform the upstream
I've forwarded this issue to MindTouch.
(Reporter)

Comment 2

10 years ago
It's been a couple of week -- can we please shut this hole on our own site without waiting for MindTouch to fix it? That's what open source is about, right?
I believe this is fixed in the update we'll be installing on Thursday night.
But I'll check to be sure.
Eric - if they have not fixed it let us know and we'll do it.
Yes, will do.
This will be in the stable branch tomorrow, so we can pick it up when we do the update to 8.08.
Fixed.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Reporter)

Updated

10 years ago
Group: websites-security
(Assignee)

Updated

6 years ago
Component: Administration → User management
Product: Mozilla Developer Network → Mozilla Developer Network
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.