Closed Bug 453886 Opened 17 years ago Closed 16 years ago

Reflected Cross Site Scripting in Forgot Password Functionality

Categories

(developer.mozilla.org Graveyard :: General, defect)

Product:
developer.mozilla.org Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: justdave, Assigned: sheppy)

Details

(Keywords: wsec-xss)

Our penetration testers discovered the following issue: Class: Data Validation Severity: High Difficulty to Exploit: Low Targets: http://developer.mozilla.org/index.php?title=Special:Userlogin, ‘forgot password’ functionality. Description: Poor input filtering and output encoding allows an attacker to execute JavaScript into the context of the developer.mozilla.org in a victim’s browser via the ‘forgot password’ link on the login page. Exploit Scenario: The attacker sends the victim a web page as email that contains a hidden iframe which upon page load automatically submits a form request that simulates clicking the forgot password link with the post parameter "<img src=z onerror=javascript:alert(‘xss’)> as the username. This permits the attacker to execute JavaScript in the user’s web browser and execute in the context of the developer.mozilla.org website as the user. Short Term Solution: Data returned from the XMLHTTPRequest used during the ‘forgot password’ operation should be sanitized before being returned to the web page for display. In this case, the web page calls eval() in JavaScript on whatever data is returned from the XMLHTTPRequest. Reflecting user data directly in an eval statement like this is dangerous, and if such is necessary, the input taken from the user should be checked against a white list of acceptable values. If that’s not possible, it should be checked using as tightly defined an input filtering mechanism as possible to ensure that attackers aren’t able to execute JavaScript in the user’s web browser via unfiltered or poorly filtered XMLHTTPRequests Requiring that usernames submitted via this method only contain alphanumeric characters would prevent this attack. Long Term Solution: Adopt a standard practice of tightly white listing input accepted from XMLHTTPRequests, and output encode the data that’s returned to the application for evaluation to ensure that the user isn’t able to reflect JavaScript into the return value.
Sheppy: would you address this with mindtouch please?
[masschange] Sheppy: can you please give us an update here? Is anyone working on this? Your blog post said we've had two updates in the past week - is this being addressed?
Assignee: nobody → eshepherd
This should be fixed in the 8.08.1a release that we can pick up today.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
This is still a problem. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I meant to reopen bug 455112, not this one...
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
Component: Deki Infrastructure → Other
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.