Created attachment 700003 [details] poc.zip User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.26 Safari/537.22 Steps to reproduce: Hi, There's a persistent cross site scripting vulnerability developer-dev.allizom.org on demo pages. The vulnerability is caused by bad handling of the DEMOS that are uploaded and hosted on main server, as this DEMOS files can contains HTML files, it results on a persistent xss vulnerability. A patch to this can be build a domain only to host the DEMO files. PoC: https://developer-dev.allizom.org/pt-PT/demos/detail/img-srcxssed-onerrorconfirm3/launch Reproduce: 1. Log on https://developer-dev.allizom.org/ 2. Go to https://developer-dev.allizom.org/pt-PT/demos/submit 3. Fill all fields as you wish with upload the poc.zip(attached on this bug). 4. After uploaded and saved the demo. 5. Click link "Launch Demo". 6. See the alert. Cheers, Mario
Can this bug be eligible for a bounty?
assigned to mgoodwin to verify This site is not officially in our list of eligible sites. This means we have to decide if your bug is worth making an exception and potentially setting a precedent. We do appreciate learning about bugs in all of our sites. We publish a list of eligible sites for people who are only interested in bounties and we hope that can help reduce the frustration of wasting time in unfruitful areas. http://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Verified. Remediation: If we must serve untrusted content we should isolate them by serving from different domain (e.g. similar to how bugzilla attachments work).
morgamic: who should we assign mdn security bugs to?
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.