815768 - IE-only XSS in Mozilla Developer Network

Status: RESOLVED FIXED

(developer.mozilla.org :: Security, defect, P1)

Description

[Yaroslav]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Steps to reproduce:

XSS in Mozilla Developer Network.
Work in all new IE in Compatibility Mode.
IE iframe XSS vector.
No filtering iframe content (<, >, ", ').

Steps:
1. developer.mozilla.org
2. profile page
3. "Docs user page"
4. html mode
5. code:
<iframe>
<iframe src="javascript:alert(1);"></iframe>
</iframe>
6. save
7. test in IE.

Comment 1

[Yaroslav]

+++
No duplicate 800548, 801046.

Comment 2

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

per our web sec bug verification rotation assigning to rforbes to verity

Comment 3

[Raymond Forbes[:rforbes]]

@yaroslav  I am having trouble finding the vulnerable page.  You listed "Docs user page"  how do i find that?

Comment 4

[Yaroslav]

Image: http://img43.imageshack.us/img43/6827/demobc.jpg

Comment 5

[Raymond Forbes[:rforbes]]

ok, thanks to curtisk I found the page.  Yup, this works.

Comment 6

[John Karahalis [:openjck]]

The "Docs user page" link is no longer available. To reproduce this now, a user should do the following, which replace steps 1-3 from comment 0.

1. Visit https://developer-dev.allizom.org/
2. Log in
3. Navigate to https://developer-dev.allizom.org/docs/new

The rest of the steps follow as described in comment 0.

Comment 7

[Les Orchard [:lorchard]]

https://github.com/mozilla/kuma/pull/998

Comment 8

[Yvan Boily [:ygjb][:yvan]]

Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.

Comment 9

[Will Kahn-Greene [:willkg] ET needinfo? me]

For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.