Closed Bug 769757 Opened 13 years ago Closed 12 years ago

xss: developer.mozilla.org

Categories

(developer.mozilla.org Graveyard :: User management, task)

Product:
developer.mozilla.org Graveyard
Component:
User management
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: curtisk, Unassigned)

Details

(Keywords: wsec-xss)

site:developer.mozilla.org * Dom Based XSS https://developer.mozilla.org/media/uploads/demos/R/a/Rapp/noisy/demo_package/index.html fill: </script><script>alert('XSS')</script> in background-color textbox. then click somewhere else in the page. BGXSS.png * dialogArguments XSS (work only on old versions of Firefox Like 3.5.4) http://developer.mozilla.org/samples/domref/showModalDialogBox.html Vuln Code: <script> document.write("Modal dialog got argument: " + window.dialogArguments); </script> The page get arguments using "window.dialogArguments" and write it to the Page without HtmlEncoding. fix: use escape function \ other html encoding mechanism. DialogArgXSS.png * File Upload XSS https://developer.mozilla.org/samples/domref/file-click-demo.html By selecting filename "<img src=X onerror=alert(1)>.png" (it possible to create filenames like this in Linux OS) in upload file dialog, HTML code inserted to the page. UploadXSS2.png
Component: other.mozilla.org → Administration
Keywords: wsec-xss
Product: Websites → Mozilla Developer Network
QA Contact: other-mozilla-org → administration
MDN is not on our list of sites for which we pay the bounty. It's a wiki so we expect a certain amount of vandalism and are prepared to recover from it, and otherwise it's read-only documentation and doesn't control other important client functionality.
This looks like 3 bugs. Should it be split out? The first one looks like an issue with a demo. Don't we traditional remove demos with vulnerabilities like this?
In the past we've "censored" the demo while we contact the demo creator to update the demo to fix the vulnerability. John, do you think you can do that with the 'noisy' demo? [1] :sheppy, what's the policy and procedure around MDN sample code with XSS? [1] https://developer.mozilla.org/en-US/demosdetail/noisy
I have no idea. Frankly, I think these aren't really vulnerabilities, given you have to do stuff at the local console to make anything happen on these pages (at least on the two sample code pages). I don't get the hubbub here, personally. I'm disinclined to remove the sample code unless there's a real problem and not just an "oh no, someone can type script in and have it run," which doesn't seem like an actual risk to me. The fact of the matter is that realistically, samples are going to be simple little things, and if we have to guarantee security for every single one, screw it, I'm going to forbid all sample code on MDN.
In the past, I have totally taken down demos vulnerable to XSS. I will do the same with "Noisy" and report back when finished.
Censored the demo so that people cannot access it without knowing the exact URL, and opened bug 774804 to remove the files so that even people with the exact URL will not be able to access it.
Curtis, could you please split the separate vulnerabilities into separate bugs? It also looks like there are attachments missing.
Component: Administration → User management
The first issue mentioned here was fixed with comment 7. The other two have been broken down into bug 826912 and bug 826915, respectively. Worth re-visiting the discussion here, especially comment 5, in light of our new approach to code samples.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.