XSS vulnerability of input.mozilla.org

VERIFIED FIXED in 4.3

Status

Websites
other.mozilla.org
VERIFIED FIXED
6 years ago
11 months ago

People

(Reporter: mala, Unassigned)

Tracking

(Blocks: 1 bug, {sec-high, wsec-xss})

unspecified
sec-high, wsec-xss

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.0 Safari/537.1

Steps to reproduce:

http://input.mozilla.org/en-US/feedback#<img src=/ onerror=alert(1)>



Actual results:

feedback.js has XSS vulnerability with jQuery, 
$('#' + hash) in here

https://github.com/fwenzel/reporter/blob/master/media/js/feedback.js#L81

see also http://bugs.jquery.com/ticket/9521
Group: core-security → websites-security
Component: General → Other
Product: Input → Websites
QA Contact: general → other
Component: Other → other.mozilla.org
QA Contact: other → other-mozilla-org

Comment 1

6 years ago
Definitely a valid XSS - marked as New and I'll look for a developer.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

6 years ago
:james, can you take a look at this? Thanks!
While I take a look, can someone from AppSec fill in the relevant whiteboard/keyword info like severity. And I think this is ws-reflected-xss but I don't remember all the new codes/keywords.

Comment 5

6 years ago
I am adding the whiteboard/keywords, :curtisk, can you fix them if they're incorrect. Also, :james, let me do some testing on that page and get back to you - I believe that is the correct line (the one the reporter posted) but I'll get back to you on that shortly.

Updated

6 years ago
Keywords: sec-high
Whiteboard: [infrasec:xss][ws:high]
Nigel, if you're familiar with feedback.js, and want to take this, you'd be my hero, or else if you can just help me review a patch in a little bit.

Comment 7

6 years ago
I'm not familiar with feedback.js, I'll help review the code.

Comment 8

6 years ago
That does seem to be the line causing issues. For more information about the bug, here are some helpful links:

The JQuery Bug: http://bugs.jquery.com/ticket/9521

A Demo with Description and fix: http://ma.la/jquery_xss/

Thanks guys!
(Reporter)

Comment 9

6 years ago
Hi, there are 3 way to fix this issue.

1. update jQuery
2. $(document).find("#" + hash)
3. hash = hash.replace(/<|>/g, "")

1 will solve other potential problems. It is the best solution if the problem of compatibility does not occur.
https://github.com/mozilla/input.mozilla.org/pull/49

I took a 4th option, whitelist valid values for this. I could add #2 as well. We don't really have the dev cycles right now to try to upgrade jQuery, and #3 is a blacklist, which makes me nervous (someone could find a way through that with something else).
This pull request was r=nigelb and merged, also cherry-picked to the prod branch.

CCing mbrandt to help verify. (input-dev.allizom.org seems to have picked up the new code OK).
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.3

Updated

6 years ago
Status: RESOLVED → VERIFIED
Wow, thanks for the fast fix guys!
The patch just landed on prod (bug 767108) and has been verified. Thank you to all who helped identify, patch, and get this landed on prod.
Reopening: it appears that the push reverted somehow and the vulnerability is back on prod again. 

Let's reclose this once we get bug 767108 sorted out.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Bug 767108 has been remedied - once again thanks everyone for rocking out this bug.
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
Bumping back to QA verified
Status: RESOLVED → VERIFIED
Since the fix is in production I'd like to remove this from the websites security group and make it public. Since it's sec-high, I want to check first, though. Matt F--are we OK to open this up now that it's VERIFIED FIXED in prod?
I'm going to defer that to :curtisk, I'll ping him tomorrow to make sure. Thanks again for working on it
Keywords: wsec-xss
Whiteboard: [infrasec:xss][ws:high]
I've confirmed that if this has been fixed (which it has) we can go ahead and remove it from the group.
Group: websites-security
Duplicate of this bug: 769758
You need to log in before you can comment on or make changes to this bug.