Reflected XSS in Special:Tags URL Arg pageID

VERIFIED FIXED

Status

--
major
VERIFIED FIXED
8 years ago
4 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

(Blocks: 1 bug, {wsec-xss})

Details

(Whiteboard: [infrasec:xss][ws:high], URL)

Attachments

(1 attachment)

This bug was filed on behalf of <ignatio2007@gmail.com>

Issue

Reflected XSS in https://developer.mozilla.org at the following location:

https://developer.mozilla.org/index.php?title=Special:Tags&pageId=234+--%3E%3Cbody%20onload=alert(1)%3E


Recommended Remediation
1. Use htmlentity output encoding when returning any data from the URL within the HTTP response.
2. Use input validation to verify the pageID is numeric. If not, throw away the data and display an error

Comment 1

8 years ago
This bug was also reported by kuzz to security@mozilla.org on 02/08/11

Michael: Do we know who should be contacted to fix this bug? I'm not sure if the developer site code is internal or not but I'll look around.
Duplicate of this bug: 636138
Luke,

I saw you worked on a similar bug for devmo. Can you take this one?
I can take it on but I know Mindtouch has been really slow and painful accepting patches so I might just raise it to them and we'll go with their patch unless they drag their feet too long. Sound good?
(In reply to comment #4)
> I can take it on but I know Mindtouch has been really slow and painful
> accepting patches so I might just raise it to them and we'll go with their
> patch unless they drag their feet too long. Sound good?

That approach sounds fine. Please update us with any info that you get.
I've got a support ticket in with MindTouch. Hopefully they can give us a patch soon. mcoates, how long are we willing to wait on them before we patch ourselves?
Blocks: 646998
Its been several weeks already. Is the ticket moving along? Do they have a target release date or version for the fix?
No, MindTouch support is very disappointing. Can't wait to be free of it. If they don't give us something by EOD today I'll fix it myself on Monday.
Assignee: nobody → lcrouch
Target Milestone: --- → 0.9.4
Created attachment 524085 [details]
mindtouch xss patch
Assignee: lcrouch → server-ops
Group: mozilla-confidential, mozilla-corporation-confidential
Component: Website → Server Operations
Product: Mozilla Developer Network → mozilla.org
QA Contact: website → mrz
Target Milestone: 0.9.4 → ---
Version: unspecified → other
need to apply the MindTouch patch file

Updated

8 years ago
Assignee: server-ops → phong

Updated

8 years ago
Duplicate of this bug: 648881

Updated

8 years ago
Duplicate of this bug: 648821

Comment 16

8 years ago
I think there are plenty more vulnerabilities in the site eg trivial account-compromising CSRF; 
https://developer.mozilla.org/Special:Preferences?email=albinowax%40eml.cc
But they've probably also been reported already, so I won't waste everyone's time by hunting out&filing bugs for them.

Updated

8 years ago
Assignee: phong → jeremy.orem+bugs

Comment 17

7 years ago
and here is another xss -> developer.mozilla.org/Special:Listusers?matchuser=
The workflow for closing XSS in the MindTouch pages is really painful:

1. XSS found on developer.mozilla.org
2. Submit bug/support request to MindTouch
3. Wait for MindTouch to verify, fix, and send us a patch (last one took 5-6 days)
4. Apply their patch to our servers (still pending from Apr 5)
5. Verify their patch on our servers
6. Sometimes their patch doesn't work - back to #2

Can we decide criteria for which are the most critical MindTouch XSS vuln's and how we want to fix them?
Blocks: 600834
What's my action on this bug? Just applying attachment 524085 [details]?
(In reply to comment #19)
> What's my action on this bug? Just applying attachment 524085 [details]?

Yeah, apply that attachment and then we'll check the page. In another bug we might want to work out our own security & patch policy for MindTouch since their support process seems really slow and clumsy.
Is it done? MindTouch is asking about their patch.
Patched: prod, stage, stage9.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
looks like this patch resolved all the xss listed here
Assignee: jeremy.orem+bugs → mozbugs.retornam
Keywords: qawanted
looks fixed on staging  but I will leave the security team to verify
Keywords: qawanted
Now performing output encoding for < and >. Addresses the issue.
Status: RESOLVED → VERIFIED

Updated

6 years ago
Blocks: 835457
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Assignee: mozbugs.retornam → server-ops
Group: websites-security, mozilla-confidential, mozilla-employee-confidential
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.