Persistent XSS on demo pages

RESOLVED DUPLICATE of bug 812746

Status

Mozilla Developer Network
Demo Studio / Dev Derby
RESOLVED DUPLICATE of bug 812746
5 years ago
2 years ago

People

(Reporter: x, Unassigned)

Tracking

(Blocks: 1 bug)

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:developer-dev.allizom.org], URL)

Attachments

(1 attachment)

Created attachment 700003 [details]
poc.zip

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.26 Safari/537.22

Steps to reproduce:

Hi,

There's a persistent cross site scripting vulnerability developer-dev.allizom.org on demo pages. The vulnerability is caused by bad handling of the DEMOS that are uploaded and hosted on main server, as this DEMOS files can contains HTML files, it results on a persistent xss vulnerability. A patch to this can be build a domain only to host the DEMO files.

PoC: https://developer-dev.allizom.org/pt-PT/demos/detail/img-srcxssed-onerrorconfirm3/launch

Reproduce:
1. Log on https://developer-dev.allizom.org/
2. Go to https://developer-dev.allizom.org/pt-PT/demos/submit
3. Fill all fields as you wish with upload the poc.zip(attached on this bug).
4. After uploaded and saved the demo.
5. Click link "Launch Demo".
6. See the alert.

Cheers,
Mario
Severity: normal → critical
Can this bug be eligible for a bounty?
Flags: sec-bounty?
assigned to mgoodwin to verify

This site is not officially in our list of eligible sites. This means we
have to decide if your bug is worth making an exception and potentially
setting a precedent.

We do appreciate learning about bugs in all of our sites. We publish a
list of eligible sites for people who are only interested in bounties
and we hope that can help reduce the frustration of wasting time in
unfruitful areas.
http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Assignee: nobody → mgoodwin
Flags: needinfo?(mgoodwin)
Whiteboard: [verif?]
Attachment #700003 - Attachment mime type: text/plain → application/zip
Verified.

Remediation:
If we must serve untrusted content we should isolate them by serving from different domain (e.g. similar to how bugzilla attachments work).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(mgoodwin)
Whiteboard: [verif?]
Assignee: mgoodwin → nobody
Severity: critical → normal
morgamic: who should we assign mdn security bugs to?
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Duplicate of bug: 812746
Duplicate of this bug: 826891

Updated

5 years ago
Blocks: 835457
Whiteboard: [site:developer-dev.allizom.org]
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.