This bug was filed on behalf of <email@example.com> Issue Reflected XSS in https://developer.mozilla.org at the following location: https://developer.mozilla.org/index.php?title=Special:Tags&pageId=234+--%3E%3Cbody%20onload=alert(1)%3E Recommended Remediation 1. Use htmlentity output encoding when returning any data from the URL within the HTTP response. 2. Use input validation to verify the pageID is numeric. If not, throw away the data and display an error
This bug was also reported by kuzz to firstname.lastname@example.org on 02/08/11 Michael: Do we know who should be contacted to fix this bug? I'm not sure if the developer site code is internal or not but I'll look around.
Duplicate of this bug: 636138
Luke, I saw you worked on a similar bug for devmo. Can you take this one?
I can take it on but I know Mindtouch has been really slow and painful accepting patches so I might just raise it to them and we'll go with their patch unless they drag their feet too long. Sound good?
(In reply to comment #4) > I can take it on but I know Mindtouch has been really slow and painful > accepting patches so I might just raise it to them and we'll go with their > patch unless they drag their feet too long. Sound good? That approach sounds fine. Please update us with any info that you get.
I've got a support ticket in with MindTouch. Hopefully they can give us a patch soon. mcoates, how long are we willing to wait on them before we patch ourselves?
Its been several weeks already. Is the ticket moving along? Do they have a target release date or version for the fix?
No, MindTouch support is very disappointing. Can't wait to be free of it. If they don't give us something by EOD today I'll fix it myself on Monday.
Assignee: lcrouch → server-ops
Group: mozilla-confidential, mozilla-corporation-confidential
Component: Website → Server Operations
Product: Mozilla Developer Network → mozilla.org
QA Contact: website → mrz
Target Milestone: 0.9.4 → ---
Version: unspecified → other
need to apply the MindTouch patch file
I think there are plenty more vulnerabilities in the site eg trivial account-compromising CSRF; https://developer.mozilla.org/Special:Preferences?email=albinowax%40eml.cc But they've probably also been reported already, so I won't waste everyone's time by hunting out&filing bugs for them.
and here is another xss -> developer.mozilla.org/Special:Listusers?matchuser=
The workflow for closing XSS in the MindTouch pages is really painful: 1. XSS found on developer.mozilla.org 2. Submit bug/support request to MindTouch 3. Wait for MindTouch to verify, fix, and send us a patch (last one took 5-6 days) 4. Apply their patch to our servers (still pending from Apr 5) 5. Verify their patch on our servers 6. Sometimes their patch doesn't work - back to #2 Can we decide criteria for which are the most critical MindTouch XSS vuln's and how we want to fix them?
(In reply to comment #19) > What's my action on this bug? Just applying attachment 524085 [details]? Yeah, apply that attachment and then we'll check the page. In another bug we might want to work out our own security & patch policy for MindTouch since their support process seems really slow and clumsy.
Is it done? MindTouch is asking about their patch.
Patched: prod, stage, stage9.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
looks like this patch resolved all the xss listed here
Assignee: jeremy.orem+bugs → mozbugs.retornam
looks fixed on staging but I will leave the security team to verify
Now performing output encoding for < and >. Addresses the issue.
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Group: websites-security, mozilla-confidential, mozilla-employee-confidential
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.