Closed Bug 731535 Opened 12 years ago Closed 12 years ago

Some demo has XSS risk which is caused with jQuery Mobile

Categories

(developer.mozilla.org Graveyard :: Demo Studio / Dev Derby, defect)

Product:
developer.mozilla.org Graveyard
Component:
Demo Studio / Dev Derby
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tetsuharu, Assigned: openjck)

Details

(Keywords: sec-high, wsec-xss, Whiteboard: [infrasec:xss][ws:high] u=user c=security p=1) 

This risk was reported by mala I'll add original reporter to cc list.
I report in his place.

Some demo in demo studion has XSS risk which caused with jQuery Mobile.

STR:
Jump to following links:

・ https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/demo_package/index.html#http://ma.la/tmp/jqm.html
(This is https://developer.mozilla.org/ja/demos/detail/maybe-do)

・ https://developer.mozilla.org/media/uploads/demos/a/k/aking/gsd-with-indexeddb/demo_package/index.html#http://ma.la/tmp/jqm.html
(This is https://developer.mozilla.org/ja/demos/detail/gsd-with-indexeddb)

These XSS are caused by https://github.com/jquery/jquery-mobile/issues/1990 .

We should fix their demo pages *immediately*.
This exploit codes are opened by hacker.

If these demo don't be fixed immediately, we should drop them from demo studio temporarily.
OS: Windows 7 → All
Hardware: x86_64 → All
mala says about this bug (summary abstract): 
The root problem of this risk is that Mozilla is hosting demos posted by users on the same domain which provides trusted information (e.g login, authentication).

Mozilla needs to review demos posted by users *completely*.
If Mozilla cannot review them *completely*, Mozilla should host demos users post on the other sand-boxed domain which does not provide trusted information.
----

I think this problem should be discussed on the meeting of security review team.
CCing Luke Crouch, the dev lead on MDN.
John, assigning to you - we'll need to censor the offending demos and contact the demo authors. I'm not sure if there's a way to scan the demos for jquery mobile usage.

We have plans to move MDN demos to demos.mozilla.com or another domain. To date we've relied on curation of demos to cover security holes. Sadly, demo studio is on the back-burner for MDN so we haven't addressed it. We're using as many dev and IT resources to move off MindTouch which has a whole host of its own security issues!
Assignee: nobody → jkarahalis
Whiteboard: [infrasec:xss][ws:high] u=user c=security p=1
I'm happy to come to the next security review meeting to discuss this from the MDN Dev stand point, if someone will invite me. 

(In reply to Luke Crouch [:groovecoder] from comment #3)
> We have plans to move MDN demos to demos.mozilla.com or another domain.

Hopefully we could avoid m.c entirely.
(In reply to James Socol [:jsocol, :james] from comment #4)
> I'm happy to come to the next security review meeting to discuss this from
> the MDN Dev stand point, if someone will invite me. 
> 
> (In reply to Luke Crouch [:groovecoder] from comment #3)
> > We have plans to move MDN demos to demos.mozilla.com or another domain.
> 
> Hopefully we could avoid m.c entirely.

bug 664724 has been open for awhile, with the intent to use mozillademos.org. 

Last I knew, we were waiting on some IT infrastructure juggling. I haven't followed up myself recently, so I'm not sure it's on anyone's radar.
Either way, we should nuke the offending demo ASAP.  Who has permissions to do that?
I hid the demos for now and will contact the authors later. Should I outright remove them from the site. AFAIK, only administrators can see hidden demos.

(Too bad the offending demos are GTD task-lists. The computer scientist in me is glad to mitigate the XSS risk, but the manager in me is wishing we could get them back online fixed.)
<groovecoder> openjck: nah, don't nuke them
Looks like 1.0 Beta 3 of jQuery Mobile fixed this (correct me if I'm wrong), so I'll ask the authors to update to the latest version of jQuery Mobile and will unhide the offending demos if everything checks out.
The offending demos have been hidden and the authors have been contacted.

Marking as fixed.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
(In reply to John Karahalis [:openjck] from comment #10)
> The offending demos have been hidden and the authors have been contacted.
> 
> Marking as fixed.

I confirmed it.

But the exploit links is living still now.
These exploit links have been opened *already*.
We should make their files denying access from web.

And also, mala did not scan all demos. (He scanned with a simple way only.)
Demo studio may have other demos which have same vulnerability by jQuery Mobile.

I think that, we should scan all demos whether they have same vulnerability or not.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Do we have a tool for scanning?

We'll investigate censoring specific media, but we didn't design for that so it might be faster/easier/better to just fix bug 664724.
Target Milestone: --- → 2.5
Target Milestone: 2.5 → ---
(In reply to Luke Crouch [:groovecoder] from comment #12)
> Do we have a tool for scanning?
> 
> We'll investigate censoring specific media, but we didn't design for that so
> it might be faster/easier/better to just fix bug 664724.

Can't access bug 664724 for some reason. Is that the one about getting a new subdomain for demos? Some more automated way of fixing this would be preferable, as there are about 300 demos and more every day.

Until then, there is one quick automation approach:

1. Unzip all demos to some directory.
2. grep -ri "*jquery*mobile" *
4. Search the list for demos using jQuery Mobile < beta2
4. Hide those demos

Would anyone with higher access than me be able to send me a giant zip of all demos submitted so far?
(In reply to John Karahalis [:openjck] from comment #13)
 
> Would anyone with higher access than me be able to send me a giant zip of
> all demos submitted so far?

Only IT has that access, I think. Maybe needs an IT bug filed? It would also probably be a very giant zip
(In reply to Les Orchard [:lorchard] from comment #14)
> (In reply to John Karahalis [:openjck] from comment #13)
>  
> > Would anyone with higher access than me be able to send me a giant zip of
> > all demos submitted so far?
> 
> Only IT has that access, I think. Maybe needs an IT bug filed? It would also
> probably be a very giant zip

Not if we squeeze it in really, really tight. Or I could just ask IT to run the grep and send me the stdout.

Also, it looks like hiding demos doesn't truly hide them:

https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/demo_package/index.html
(In reply to John Karahalis [:openjck] from comment #15)
 
> Not if we squeeze it in really, really tight. Or I could just ask IT to run
> the grep and send me the stdout.

Yeah, I think we have a few 50-80MB demos. Not sure how big the whole corpus is, though. :/ Would be nice if we could get read-only shell access to the NFS mount.

> Also, it looks like hiding demos doesn't truly hide them:
> 
> https://developer.mozilla.org/media/uploads/demos/l/m/lmorchard/maybe-do/
> demo_package/index.html

Hiding only affects demo listings on the site. The demo media is on a static web server and not protected by any access controls. Deletion will get rid of the media.
Opened IT bug: bug 740683
I got IT to run the grep described in comment 13. Turns out, only Maybe Do and GSD are vulnerable. A few more demos are using jQuery Mobile, but they are using a version above beta2. It's possible that the grep missed a couple of demos, but unlikely.

I made backups of the demos, deleted them, and will shortly contact the authors.

Is there a way to automate this in the future? For example, running the test posted in comment 0 on every demo that is submitted?
We could add a DEMO_FILENAME_BLACKLIST like the DEMO_MIMETYPE_BLACKLIST used in https://github.com/mozilla/kuma/blob/master/apps/demos/models.py#L576

It wouldn't protect against malicious demo poisoning, but it would protect against libraries with vulnerabilities that are naively included by demo authors.
Anyone know why the demos are still online even after I deleted them? Aside from this, everything is done.
Demos now 404'ing.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
To clarify, I got IT to take them down. Marking as closed unless anyone has an objection.
Version: MDN → unspecified
Component: Demos → Demo Studio / Dev Derby
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.