Self reflective XSS (wiki edit)

RESOLVED FIXED

Status

developer.mozilla.org
Wiki pages
RESOLVED FIXED
7 years ago
2 years ago

People

(Reporter: Nils Juenemann, Unassigned)

Tracking

(Blocks: 1 bug, {sec-moderate, wsec-xss})

Details

(Whiteboard: [infrasec:xss][ws:moderate])

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.231 Safari/534.10
Build Identifier: 

If you insert invalid xml into the wiki editor and try to save, you got a dekiwiki exception and javascript which is inserted in source mode, will be executed. 

Reproducible: Always

Steps to Reproduce:
1. Goto https://developer.mozilla.org/index.php?title=xss&action=edit
2. click on "source"
3. add <BODY ONLOAD=alert('16')>< to the text area 
4. click save
5. you got a 500 error and the javascript is executed



Stack trace:


Request URI:
http://localhost:8081/deki/pages/65418/contents?dream.out.format=php&dream.in.host=developer.mozilla.org&dream.in.scheme=https&dream.in.origin=10.2.81.100&redirects=0&edittime=20101227124730

Server response:
Array
(
    [exception] => Array
        (
            [coroutine] => Array
                (
                    [frame] => Array
                        (
                            [@method] => MindTouch.Deki.DekiWikiService.PostPageContents(DreamContext context, DreamMessage request, Result`1 response)
                        )

                )

            [message] => Object reference not set to an instance of an object
            [source] => mindtouch.deki
            [stacktrace] => Array
                (
                    [frame] => Array
                        (
                            [0] => MindTouch.Deki.DekiXmlParser.ProcessRedirect (MindTouch.Xml.XDoc xhtml, ParserMode mode) [0x00000]
                            [1] => MindTouch.Deki.DekiXmlParser.Parse (MindTouch.Deki.Data.PageBE page, MindTouch.Xml.XDoc result, ParserMode mode, Boolean isInclude, MindTouch.Deki.Script.DekiScriptLiteral args, MindTouch.Deki.Title relToTitle) [0x00000]
                            [2] => MindTouch.Deki.DekiXmlParser.ParseSave (MindTouch.Deki.Data.PageBE page, System.String contentType, System.String language, System.String content, Int32 section, System.String xpath, Boolean removeIllegalElements, MindTouch.Deki.Title relToTitle) [0x00000]
                            [3] => MindTouch.Deki.Logic.PageBL.Save (MindTouch.Deki.Data.PageBE page, MindTouch.Deki.Data.OldBE previous, System.String userComment, System.String text, System.String contentType, System.String displayName, System.String language, Int32 section, System.String xpath, DateTime timeStamp, UInt64 restoredPageId, Boolean loggingEnabled, Boolean removeIllegalElements, MindTouch.Deki.Title relToTitle, Boolean overwrite, UInt32 authorId, System.Boolean& conflict) [0x00000]
                            [4] => MindTouch.Deki.Logic.PageBL.Save (MindTouch.Deki.Data.PageBE page, MindTouch.Deki.Data.OldBE previous, System.String userComment, System.String text, System.String contentType, System.String displayName, System.String language, Int32 section, System.String xpath, DateTime timeStamp, UInt64 restoredPageId, Boolean loggingEnabled, Boolean removeIllegalElements, MindTouch.Deki.Title relToTitle, Boolean overwrite, System.Boolean& conflict) [0x00000]
                            [5] => MindTouch.Deki.DekiWikiService+<PostPageContents>d__dc.MoveNext () [0x00000]
                            [6] => MindTouch.Tasking.Coroutine.Invoke (System.Func`1 invocation) [0x00000]
                        )

                )

            [type] => System.NullReferenceException
        )

)
(Reporter)

Comment 1

7 years ago
Created attachment 499820 [details]
screenshot

Updated

7 years ago
Whiteboard: [ws:need triage]
Confirmed this XSS works within Google chrome browser. It does not work in Firefox. This is a reflected xss that appears to be only exploitable against another user via CSRF.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [ws:need triage] → [infrasec:xss][ws:moderate]
(Assignee)

Updated

6 years ago
Component: Website → Landing pages
Product: Mozilla Developer Network → Mozilla Developer Network
This was filed back when we were using Mindtouch. Cannot reproduce on Kuma.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
Blocks: 835457
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.