Persistent XSS with SVG files on http://wiki.mozilla.org

RESOLVED FIXED in 2014-Q3

Status

Websites
wiki.mozilla.org
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: Mario Gomes, Unassigned)

Tracking

({wsec-xss})

unspecified
2014-Q3
wsec-xss
Dependency tree / graph

Details

(Whiteboard: [site:wiki.mozilla.org] [fixed by bug 1032351], URL)

(Reporter)

Description

6 years ago
Hello,

Persistent Cross Site Scripting(XSS) on SVG files. This can allow attackers to execute javascript codes on as orign wiki.mozilla.org.

PoC: https://wiki.mozilla.org/images/d/da/File.svg

Cheers,
Mario.
(Reporter)

Comment 1

6 years ago
Tested On: Chrome, Safari and Opera.
Depends on: 767183
(Reporter)

Comment 2

6 years ago
Is it a duplicate?

Comment 3

6 years ago
I don't think it's a duplicate, he's saying it will be fixed when the update described in that bug is pushed.
(Reporter)

Comment 4

6 years ago
Well, I know that this site is not listed on bountable list(https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs), but also was said "...If the bug is extraordinary, we might still consider the bug to be nominated for a bounty...". So, can this be eligible for a bounty?

Updated

6 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 5

6 years ago
The bug bounty committee is meeting today and will decide whether the bug is eligible. Thank you for reporting, we will contact you if it is.
(Reporter)

Comment 7

6 years ago
Okay. Thanks you.

(In reply to Matt Fuller from comment #5)
> The bug bounty committee is meeting today and will decide whether the bug is
> eligible. Thank you for reporting, we will contact you if it is.
(Reporter)

Comment 9

6 years ago
This file(https://wiki.mozilla.org/images/e/e0/XSS.svg) works on Firefox, Chrome, Safari, Opera and IE9(well, on IE crash the browser).

Comment 10

6 years ago
Mario,

We believe this does not qualify for a bounty based on that it is a dupe of http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-June/000116.html and the site is normally not on the list of qualifying sites.

Thanks for reporting and keep us aware that we need to update our installation as soon as possible.

Updated

5 years ago
Blocks: 835501
Whiteboard: [site:wiki.mozilla.org]
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
(Reporter)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
Reopening because this is/was a valid bug.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
(Reporter)

Comment 13

4 years ago
It doesnt reproduce anymore. You can close this as 'fixed'.
I've confirmed that it's no longer possible to upload svg files with this exploit. I've also removed the sample file from the wiki.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED
Group: websites-security
Duplicate of this bug: 966734
Depends on: 1032351
No longer depends on: 767183
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org] [fixed by bug 1032351]
Target Milestone: --- → 2014-Q3
You need to log in before you can comment on or make changes to this bug.