Content type sniff xss is possible on https://developer.mozilla.org/pt-PT/docs/get-documents

RESOLVED WONTFIX

Status

developer.mozilla.org
General
RESOLVED WONTFIX
5 years ago
2 years ago

People

(Reporter: Mario Gomes, Assigned: rforbes)

Tracking

(Blocks: 1 bug)

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:developer.mozilla.org])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.5 Safari/537.22

Steps to reproduce:

Hi,

There's a content type sniff vulnerability in https://developer.mozilla.org/pt-PT/docs/get-documents that allows xss in some versions of Internet Explorer. The vulnerability is caused by non-use of header  X-Content-Type-Options.

PoC: https://developer.mozilla.org/pt-PT/docs/get-documents?term=%22'&current_locale=1&.html

Tested on IE 6/7.

Cheers,
Mario
assigned to rforbes for verification
Assignee: nobody → rforbes
Whiteboard: [verif?]
(Assignee)

Comment 2

5 years ago
this works.
(Assignee)

Updated

5 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty?
Whiteboard: [verif?]
(Assignee)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WONTFIX

Updated

5 years ago
Blocks: 835457
Whiteboard: [site:developer.mozilla.org]
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.