Closed
Bug 828631
Opened 11 years ago
Closed 11 years ago
Persistent XSS on demo pages
Categories
(developer.mozilla.org Graveyard :: Demo Studio / Dev Derby, defect)
developer.mozilla.org Graveyard
Demo Studio / Dev Derby
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 812746
People
(Reporter: netfuzzerr, Unassigned)
References
()
Details
(Whiteboard: [site:developer-dev.allizom.org])
Attachments
(1 file)
202 bytes,
application/zip
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.26 Safari/537.22 Steps to reproduce: Hi, There's a persistent cross site scripting vulnerability developer-dev.allizom.org on demo pages. The vulnerability is caused by bad handling of the DEMOS that are uploaded and hosted on main server, as this DEMOS files can contains HTML files, it results on a persistent xss vulnerability. A patch to this can be build a domain only to host the DEMO files. PoC: https://developer-dev.allizom.org/pt-PT/demos/detail/img-srcxssed-onerrorconfirm3/launch Reproduce: 1. Log on https://developer-dev.allizom.org/ 2. Go to https://developer-dev.allizom.org/pt-PT/demos/submit 3. Fill all fields as you wish with upload the poc.zip(attached on this bug). 4. After uploaded and saved the demo. 5. Click link "Launch Demo". 6. See the alert. Cheers, Mario
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Updated•11 years ago
|
Severity: normal → critical
Reporter | ||
Comment 1•11 years ago
|
||
Can this bug be eligible for a bounty?
Updated•11 years ago
|
Flags: sec-bounty?
assigned to mgoodwin to verify This site is not officially in our list of eligible sites. This means we have to decide if your bug is worth making an exception and potentially setting a precedent. We do appreciate learning about bugs in all of our sites. We publish a list of eligible sites for people who are only interested in bounties and we hope that can help reduce the frustration of wasting time in unfruitful areas. http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Assignee: nobody → mgoodwin
Flags: needinfo?(mgoodwin)
Whiteboard: [verif?]
Updated•11 years ago
|
Attachment #700003 -
Attachment mime type: text/plain → application/zip
Comment 3•11 years ago
|
||
Verified. Remediation: If we must serve untrusted content we should isolate them by serving from different domain (e.g. similar to how bugzilla attachments work).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(mgoodwin)
Whiteboard: [verif?]
Updated•11 years ago
|
Assignee: mgoodwin → nobody
Updated•11 years ago
|
Severity: critical → normal
Comment 4•11 years ago
|
||
morgamic: who should we assign mdn security bugs to?
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Whiteboard: [site:developer-dev.allizom.org]
Comment 8•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•