XSS via feed parser on www.mozilla.org front page

RESOLVED FIXED

Status

www.mozilla.org
General
--
critical
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Assigned: reed)

Tracking

({wsec-xss})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

potential XSS on front page of www.mozilla.org

on 3.jan browsed www.mozilla.org and visually noticed anomaly very close to XSS caused by bugzilla bug - in community ticker was injected |<h2>| present in the  subject of the linked bug.

attached is screenshot with js disabled - see |typeface| in middle right.

wrote about this on irc #js, about 5 minutes later the anomaly disappeared.
Created attachment 419870 [details]
screenshot - see middle right
Assignee: server-ops → nobody
Group: websites-security
Component: Server Operations: Security → www.mozilla.org
Product: mozilla.org → Websites
QA Contact: mrz → www-mozilla-org
Group: mozilla-confidential
Severity: normal → critical
(Assignee)

Updated

8 years ago
Assignee: nobody → reed
OS: Linux → All
Hardware: x86 → All
as of know your front page has file upload control due to timeless's bug
dveditz: does this act of humane american patriotism deserve a bounty?
Created attachment 419875 [details]
file upload - for posterity
(Assignee)

Updated

8 years ago
Status: NEW → ASSIGNED
Summary: potential XSS on front page of www.mozilla.org → XSS via feed parser on www.mozilla.org front page
(Assignee)

Comment 5

8 years ago
Created attachment 419879 [details] [diff] [review]
patch - v1

The title attribute was being HTML decoded by cleanHtml() for some unknown reason. I removed that code and replaced the existing truncate() function with one I found in CakePHP's code that parses HTML entities correctly.
(Assignee)

Comment 6

8 years ago
r58866

Thanks, georgi, for noticing this.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Group: websites-security
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.