847992 - XSS in FCKeditor on wiki.mozilla.org

Status: RESOLVED FIXED

(Websites :: wiki.mozilla.org, defect)

Description

[Al Billings [:abillings - ex-MoCo]]

Deepankar Arora and Nipun Jaswal (codeinjector007@gmail.com) sent the following report of a XSS in the FCKeditor on wiki.mozilla.org:

Hi Sir/Madam,

We have recently discovered a POST XSS vulnerability in one of your sub-domain (https://wiki.mozilla.org) .

Vulnerable Link: https://wiki.mozilla.org/extensions/FCKeditor/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php

POC: http://lab.pentest.co.in/mozilla/xss-poc.html

Exploit Code: http://lab.pentest.co.in/mozilla/xss-poc.txt

Bugzilla IDs:
nipunjaswal@rocketmail.com
codeinjector007@gmail.com

Waiting for a reply soon.

Regards,
Deepankar Arora
Nipun Jaswal

Comment 1

[Paul Theriault [:pauljt] (no longer reading bugmail)]

POC demonstrates XSS as described, in the "textinputs[]" parameter. The parameter gets injected straight into JavaScript, without escaping necessary characters:

var textinputs = new Array();
var error;
textinputs[0] = decodeURIComponent(" <- injection from here on.

I had a quick skim and I can't see an existing bug for this - not sure if this code is actually used or not, it seems to not work for me.

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Well, we need to either:

1) Update the editor to a non-vulnerable version.
2) Fix it in place.
3) Remove the editor.

Comment 3

[Nipun Jaswal And Deepankar Arora]

The bug is still not fixed.

Comment 4

[Al Billings [:abillings - ex-MoCo]]

Yes, that is why the status of the bug is "new" instead of "resolved" with a resolution of "fixed."

Comment 5

[Andrei Hajdukewycz [:sancus]]

This appears to be fixed. The FCKeditor doesn't seem to be present anymore, likely removed during the recent wikimo upgrades.

Comment 6

[Daniel Veditz [:dveditz]]

Does not qualify for a bounty, wiki.mozilla.org is not a covered site (3rd party software, developer-oriented site).