Closed
Bug 766924
Opened 13 years ago
Closed 13 years ago
XSS vulnerability of input.mozilla.org
Categories
(Websites :: other.mozilla.org, defect)
Websites
other.mozilla.org
Tracking
(Not tracked)
VERIFIED
FIXED
4.3
People
(Reporter: bugzilla, Unassigned)
References
Details
(Keywords: sec-high, wsec-xss)
Attachments
(1 file)
|
221.49 KB,
image/png
|
Details |
qa - verified
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.0 Safari/537.1
Steps to reproduce:
http://input.mozilla.org/en-US/feedback#<img src=/ onerror=alert(1)>
Actual results:
feedback.js has XSS vulnerability with jQuery,
$('#' + hash) in here
https://github.com/fwenzel/reporter/blob/master/media/js/feedback.js#L81
see also http://bugs.jquery.com/ticket/9521
|
||
Updated•13 years ago
|
Group: core-security → websites-security
Component: General → Other
Product: Input → Websites
QA Contact: general → other
|
|
||
Updated•13 years ago
|
Component: Other → other.mozilla.org
QA Contact: other → other-mozilla-org
|
|
||
Comment 1•13 years ago
|
||
Definitely a valid XSS - marked as New and I'll look for a developer.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•13 years ago
|
||
:james, can you take a look at this? Thanks!
|
|
||
Comment 3•13 years ago
|
||
While I take a look, can someone from AppSec fill in the relevant whiteboard/keyword info like severity. And I think this is ws-reflected-xss but I don't remember all the new codes/keywords.
|
|
||
Comment 4•13 years ago
|
||
Also, Matt, is this the line we're talking about?
https://github.com/mozilla/input.mozilla.org/blob/master/media/js/feedback.js#L83
|
|
||
Comment 5•13 years ago
|
||
I am adding the whiteboard/keywords, :curtisk, can you fix them if they're incorrect. Also, :james, let me do some testing on that page and get back to you - I believe that is the correct line (the one the reporter posted) but I'll get back to you on that shortly.
|
|
||
Comment 6•13 years ago
|
||
Nigel, if you're familiar with feedback.js, and want to take this, you'd be my hero, or else if you can just help me review a patch in a little bit.
|
||
Comment 7•13 years ago
|
||
I'm not familiar with feedback.js, I'll help review the code.
|
|
||
Comment 8•13 years ago
|
||
That does seem to be the line causing issues. For more information about the bug, here are some helpful links:
The JQuery Bug: http://bugs.jquery.com/ticket/9521
A Demo with Description and fix: http://ma.la/jquery_xss/
Thanks guys!
Hi, there are 3 way to fix this issue.
1. update jQuery
2. $(document).find("#" + hash)
3. hash = hash.replace(/<|>/g, "")
1 will solve other potential problems. It is the best solution if the problem of compatibility does not occur.
|
|
||
Comment 10•13 years ago
|
||
https://github.com/mozilla/input.mozilla.org/pull/49
I took a 4th option, whitelist valid values for this. I could add #2 as well. We don't really have the dev cycles right now to try to upgrade jQuery, and #3 is a blacklist, which makes me nervous (someone could find a way through that with something else).
|
|
||
Comment 11•13 years ago
|
||
This pull request was r=nigelb and merged, also cherry-picked to the prod branch.
CCing mbrandt to help verify. (input-dev.allizom.org seems to have picked up the new code OK).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.3
|
|
||
Comment 12•13 years ago
|
||
QA verified on dev - followed steps to reproduce in comment 0
http://input-dev.allizom.org/en-US/feedback#%3Cimg%20src=/%20onerror=alert%281%29%3E
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 13•13 years ago
|
||
Wow, thanks for the fast fix guys!
|
|
||
Comment 14•13 years ago
|
||
The patch just landed on prod (bug 767108) and has been verified. Thank you to all who helped identify, patch, and get this landed on prod.
|
|
||
Comment 15•13 years ago
|
||
Reopening: it appears that the push reverted somehow and the vulnerability is back on prod again.
Let's reclose this once we get bug 767108 sorted out.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 16•13 years ago
|
||
Bug 767108 has been remedied - once again thanks everyone for rocking out this bug.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 18•13 years ago
|
||
Since the fix is in production I'd like to remove this from the websites security group and make it public. Since it's sec-high, I want to check first, though. Matt F--are we OK to open this up now that it's VERIFIED FIXED in prod?
|
|
||
Comment 19•13 years ago
|
||
I'm going to defer that to :curtisk, I'll ping him tomorrow to make sure. Thanks again for working on it
|
|
||
Comment 20•13 years ago
|
||
I've confirmed that if this has been fixed (which it has) we can go ahead and remove it from the group.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•