Closed
Bug 712886
Opened 14 years ago
Closed 14 years ago
Possible vulnerability at https://developer.mozilla.org/en-US/demos/search/?q =
Categories
(developer.mozilla.org Graveyard :: Wiki pages, defect)
developer.mozilla.org Graveyard
Wiki pages
Tracking
(Not tracked)
VERIFIED
INVALID
2.1
People
(Reporter: julius.kivimaki, Assigned: groovecoder)
Details
(Whiteboard: u=user c=security p=1)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Steps to reproduce:
I decided to try XSS on https://developer.mozilla.org/en-US/demos/search/?q=
But well, I did not quite find it.
Actual results:
The server decided to ignore parts of my search string as you can see at https://developer.mozilla.org/en-US/demos/search/?q=ehm%22);%22%3Eehm
Possibly an SQL injection or something, did not look at it that closely.
Expected results:
The server should have returned the whole string in a secure format that is not executed clientside (nor serverside)
|
||
Comment 1•14 years ago
|
||
Thank you for reporting this issue to us. We'll investigate the issue and
provide feedback within the bug. No additional action is needed from you
at this time. If you have questions or additional information please add
that info to the bug.
Thanks,
mgoodwin
|
|
||
Comment 2•14 years ago
|
||
Luke, would you mind taking a look at this? Basically, we need to verify that the characters that go missing in the example in comment #0 are from input validation, not from injection into a database.
Contact me if you have any further questions.
|
Reporter | |
Comment 3•14 years ago
|
||
If its input validation, it still shouldn't do that. It should rather output it in secure format.
|
Assignee | |
Updated•14 years ago
|
Whiteboard: u=user c=security p=
Target Milestone: --- → 2.0
|
|
||
Comment 4•14 years ago
|
||
(In reply to julius.kivimaki from comment #3)
> If its input validation, it still shouldn't do that. It should rather output
> it in secure format.
I agree 100% that anything output should be encoded correctly but that's not to say filtering to a whitelist is harmful.
|
|
Assignee | |
Updated•14 years ago
|
Target Milestone: 2.0 → 2.1
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: u=user c=security p= → u=user c=security p=1
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → lcrouch
|
|
Assignee | |
Comment 5•14 years ago
|
||
We turn the q value into a django Q object which properly filters for SQL:
SELECT `demos_submission`.`id`, `demos_submission`.`title`, `demos_submission`.`slug`, `demos_submission`.`summary`, `demos_submission`.`description`, `demos_submission`.`featured`, `demos_submission`.`hidden`, `demos_submission`.`censored`, `demos_submission`.`censored_url`, `demos_submission`.`navbar_optout`, `demos_submission`.`comments_total`, `demos_submission`.`screenshot_1`, `demos_submission`.`screenshot_2`, `demos_submission`.`screenshot_3`, `demos_submission`.`screenshot_4`, `demos_submission`.`screenshot_5`, `demos_submission`.`video_url`, `demos_submission`.`demo_package`, `demos_submission`.`source_code_url`, `demos_submission`.`license_name`, `demos_submission`.`creator_id`, `demos_submission`.`created`, `demos_submission`.`modified`, `demos_submission`.`likes_total`, `demos_submission`.`likes_recent`, `demos_submission`.`launches_total`, `demos_submission`.`launches_recent` FROM `demos_submission` WHERE (NOT (`demos_submission`.`censored` = True ) AND (`demos_submission`.`title` LIKE %ehm\%22);% OR `demos_submission`.`summary` LIKE %ehm\%22);% OR `demos_submission`.`description` LIKE %ehm\%22);% ) AND NOT (`demos_submission`.`hidden` = True )) ORDER BY `demos_submission`.`modified` DESC LIMIT 0
SELECT COUNT(*) FROM `demos_submission` WHERE (NOT (`demos_submission`.`censored` = True ) AND ((`demos_submission`.`title` LIKE %ehm\%22);% OR `demos_submission`.`summary` LIKE %ehm\%22);% OR `demos_submission`.`description` LIKE %ehm\%22);% ) AND (`demos_submission`.`title` LIKE %DELETE% OR `demos_submission`.`summary` LIKE %DELETE% OR `demos_submission`.`description` LIKE %DELETE% ) AND (`demos_submission`.`title` LIKE %FROM% OR `demos_submission`.`summary` LIKE %FROM% OR `demos_submission`.`description` LIKE %FROM% ) AND (`demos_submission`.`title` LIKE %demos\_submission;% OR `demos_submission`.`summary` LIKE %demos\_submission;% OR `demos_submission`.`description` LIKE %demos\_submission;% )) AND NOT (`demos_submission`.`hidden` = True ))
SELECT COUNT(*) FROM `demos_submission` WHERE (NOT (`demos_submission`.`censored` = True ) AND ((`demos_submission`.`title` LIKE %ehm\%22);% OR `demos_submission`.`summary` LIKE %ehm\%22);% OR `demos_submission`.`description` LIKE %ehm\%22);% ) AND (`demos_submission`.`title` LIKE %DELETE% OR `demos_submission`.`summary` LIKE %DELETE% OR `demos_submission`.`description` LIKE %DELETE% ) AND (`demos_submission`.`title` LIKE %FROM% OR `demos_submission`.`summary` LIKE %FROM% OR `demos_submission`.`description` LIKE %FROM% ) AND (`demos_submission`.`title` LIKE %demos\_submission;% OR `demos_submission`.`summary` LIKE %demos\_submission;% OR `demos_submission`.`description` LIKE %demos\_submission;% )) AND NOT (`demos_submission`.`hidden` = True ))
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
|
||
Updated•13 years ago
|
Component: Website → Landing pages
|
||
Comment 7•10 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
|
||
Updated•5 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•