Closed
Bug 731535
Opened 12 years ago
Closed 12 years ago
Some demo has XSS risk which is caused with jQuery Mobile
Categories
(developer.mozilla.org Graveyard :: Demo Studio / Dev Derby, defect)
developer.mozilla.org Graveyard
Demo Studio / Dev Derby
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: tetsuharu, Assigned: openjck)
Details
(Keywords: sec-high, wsec-xss, Whiteboard: [infrasec:xss][ws:high] u=user c=security p=1)
This risk was reported by mala I'll add original reporter to cc list. I report in his place. Some demo in demo studion has XSS risk which caused with jQuery Mobile. STR: Jump to following links: ・ https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/demo_package/index.html#http://ma.la/tmp/jqm.html (This is https://developer.mozilla.org/ja/demos/detail/maybe-do) ・ https://developer.mozilla.org/media/uploads/demos/a/k/aking/gsd-with-indexeddb/demo_package/index.html#http://ma.la/tmp/jqm.html (This is https://developer.mozilla.org/ja/demos/detail/gsd-with-indexeddb) These XSS are caused by https://github.com/jquery/jquery-mobile/issues/1990 . We should fix their demo pages *immediately*. This exploit codes are opened by hacker. If these demo don't be fixed immediately, we should drop them from demo studio temporarily.
Reporter | ||
Updated•12 years ago
|
OS: Windows 7 → All
Hardware: x86_64 → All
Reporter | ||
Comment 1•12 years ago
|
||
mala says about this bug (summary abstract): The root problem of this risk is that Mozilla is hosting demos posted by users on the same domain which provides trusted information (e.g login, authentication). Mozilla needs to review demos posted by users *completely*. If Mozilla cannot review them *completely*, Mozilla should host demos users post on the other sand-boxed domain which does not provide trusted information. ---- I think this problem should be discussed on the meeting of security review team.
Comment 2•12 years ago
|
||
CCing Luke Crouch, the dev lead on MDN.
Comment 3•12 years ago
|
||
John, assigning to you - we'll need to censor the offending demos and contact the demo authors. I'm not sure if there's a way to scan the demos for jquery mobile usage. We have plans to move MDN demos to demos.mozilla.com or another domain. To date we've relied on curation of demos to cover security holes. Sadly, demo studio is on the back-burner for MDN so we haven't addressed it. We're using as many dev and IT resources to move off MindTouch which has a whole host of its own security issues!
Assignee: nobody → jkarahalis
Whiteboard: [infrasec:xss][ws:high] u=user c=security p=1
Comment 4•12 years ago
|
||
I'm happy to come to the next security review meeting to discuss this from the MDN Dev stand point, if someone will invite me. (In reply to Luke Crouch [:groovecoder] from comment #3) > We have plans to move MDN demos to demos.mozilla.com or another domain. Hopefully we could avoid m.c entirely.
Comment 5•12 years ago
|
||
(In reply to James Socol [:jsocol, :james] from comment #4) > I'm happy to come to the next security review meeting to discuss this from > the MDN Dev stand point, if someone will invite me. > > (In reply to Luke Crouch [:groovecoder] from comment #3) > > We have plans to move MDN demos to demos.mozilla.com or another domain. > > Hopefully we could avoid m.c entirely. bug 664724 has been open for awhile, with the intent to use mozillademos.org. Last I knew, we were waiting on some IT infrastructure juggling. I haven't followed up myself recently, so I'm not sure it's on anyone's radar.
Comment 6•12 years ago
|
||
Either way, we should nuke the offending demo ASAP. Who has permissions to do that?
Assignee | ||
Comment 7•12 years ago
|
||
I hid the demos for now and will contact the authors later. Should I outright remove them from the site. AFAIK, only administrators can see hidden demos. (Too bad the offending demos are GTD task-lists. The computer scientist in me is glad to mitigate the XSS risk, but the manager in me is wishing we could get them back online fixed.)
Assignee | ||
Comment 8•12 years ago
|
||
<groovecoder> openjck: nah, don't nuke them
Assignee | ||
Comment 9•12 years ago
|
||
Looks like 1.0 Beta 3 of jQuery Mobile fixed this (correct me if I'm wrong), so I'll ask the authors to update to the latest version of jQuery Mobile and will unhide the offending demos if everything checks out.
Assignee | ||
Comment 10•12 years ago
|
||
The offending demos have been hidden and the authors have been contacted. Marking as fixed.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•12 years ago
|
||
(In reply to John Karahalis [:openjck] from comment #10) > The offending demos have been hidden and the authors have been contacted. > > Marking as fixed. I confirmed it. But the exploit links is living still now. These exploit links have been opened *already*. We should make their files denying access from web. And also, mala did not scan all demos. (He scanned with a simple way only.) Demo studio may have other demos which have same vulnerability by jQuery Mobile. I think that, we should scan all demos whether they have same vulnerability or not.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 12•12 years ago
|
||
Do we have a tool for scanning? We'll investigate censoring specific media, but we didn't design for that so it might be faster/easier/better to just fix bug 664724.
Target Milestone: --- → 2.5
Updated•12 years ago
|
Target Milestone: 2.5 → ---
Assignee | ||
Comment 13•12 years ago
|
||
(In reply to Luke Crouch [:groovecoder] from comment #12) > Do we have a tool for scanning? > > We'll investigate censoring specific media, but we didn't design for that so > it might be faster/easier/better to just fix bug 664724. Can't access bug 664724 for some reason. Is that the one about getting a new subdomain for demos? Some more automated way of fixing this would be preferable, as there are about 300 demos and more every day. Until then, there is one quick automation approach: 1. Unzip all demos to some directory. 2. grep -ri "*jquery*mobile" * 4. Search the list for demos using jQuery Mobile < beta2 4. Hide those demos Would anyone with higher access than me be able to send me a giant zip of all demos submitted so far?
Comment 14•12 years ago
|
||
(In reply to John Karahalis [:openjck] from comment #13) > Would anyone with higher access than me be able to send me a giant zip of > all demos submitted so far? Only IT has that access, I think. Maybe needs an IT bug filed? It would also probably be a very giant zip
Assignee | ||
Comment 15•12 years ago
|
||
(In reply to Les Orchard [:lorchard] from comment #14) > (In reply to John Karahalis [:openjck] from comment #13) > > > Would anyone with higher access than me be able to send me a giant zip of > > all demos submitted so far? > > Only IT has that access, I think. Maybe needs an IT bug filed? It would also > probably be a very giant zip Not if we squeeze it in really, really tight. Or I could just ask IT to run the grep and send me the stdout. Also, it looks like hiding demos doesn't truly hide them: https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/demo_package/index.html
Comment 16•12 years ago
|
||
(In reply to John Karahalis [:openjck] from comment #15) > Not if we squeeze it in really, really tight. Or I could just ask IT to run > the grep and send me the stdout. Yeah, I think we have a few 50-80MB demos. Not sure how big the whole corpus is, though. :/ Would be nice if we could get read-only shell access to the NFS mount. > Also, it looks like hiding demos doesn't truly hide them: > > https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/ > demo_package/index.html Hiding only affects demo listings on the site. The demo media is on a static web server and not protected by any access controls. Deletion will get rid of the media.
Assignee | ||
Comment 17•12 years ago
|
||
Opened IT bug: bug 740683
Assignee | ||
Comment 18•12 years ago
|
||
I got IT to run the grep described in comment 13. Turns out, only Maybe Do and GSD are vulnerable. A few more demos are using jQuery Mobile, but they are using a version above beta2. It's possible that the grep missed a couple of demos, but unlikely. I made backups of the demos, deleted them, and will shortly contact the authors. Is there a way to automate this in the future? For example, running the test posted in comment 0 on every demo that is submitted?
Comment 19•12 years ago
|
||
We could add a DEMO_FILENAME_BLACKLIST like the DEMO_MIMETYPE_BLACKLIST used in https://github.com/mozilla/kuma/blob/master/apps/demos/models.py#L576 It wouldn't protect against malicious demo poisoning, but it would protect against libraries with vulnerabilities that are naively included by demo authors.
Assignee | ||
Comment 20•12 years ago
|
||
Sounds good to me. By the way, the demos are still showing up even after I deleted them. Any idea? https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/demo_package/index.html https://developer.mozilla.org/media/uploads/demos/a/k/aking/gsd-with-indexeddb/demo_package/index.html
Assignee | ||
Comment 21•12 years ago
|
||
Anyone know why the demos are still online even after I deleted them? Aside from this, everything is done.
Assignee | ||
Comment 22•12 years ago
|
||
Demos now 404'ing.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 23•12 years ago
|
||
To clarify, I got IT to take them down. Marking as closed unless anyone has an objection.
Updated•12 years ago
|
Version: MDN → unspecified
Updated•12 years ago
|
Component: Demos → Demo Studio / Dev Derby
Comment 24•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Comment 25•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•