Closed Bug 847992 Opened 9 years ago Closed 9 years ago

XSS in FCKeditor on wiki.mozilla.org

Categories

(Websites :: wiki.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: abillings, Assigned: pauljt)

Details

(Keywords: sec-moderate, wsec-xss, Whiteboard: [site:wiki.mozilla.org])

Deepankar Arora and Nipun Jaswal (codeinjector007@gmail.com) sent the following report of a XSS in the FCKeditor on wiki.mozilla.org:

Hi Sir/Madam,

We have recently discovered a POST XSS vulnerability in one of your sub-domain (https://wiki.mozilla.org) .

Vulnerable Link: https://wiki.mozilla.org/extensions/FCKeditor/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php

POC: http://lab.pentest.co.in/mozilla/xss-poc.html

Exploit Code: http://lab.pentest.co.in/mozilla/xss-poc.txt

Bugzilla IDs:
nipunjaswal@rocketmail.com
codeinjector007@gmail.com

Waiting for a reply soon.

Regards,
Deepankar Arora
Nipun Jaswal
Flags: sec-bounty?
Assignee: nobody → ptheriault
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [verif?]
POC demonstrates XSS as described, in the "textinputs[]" parameter. The parameter gets injected straight into JavaScript, without escaping necessary characters:

var textinputs = new Array();
var error;
textinputs[0] = decodeURIComponent(" <- injection from here on.

I had a quick skim and I can't see an existing bug for this - not sure if this code is actually used or not, it seems to not work for me.
Well, we need to either:

1) Update the editor to a non-vulnerable version.
2) Fix it in place.
3) Remove the editor.
The bug is still not fixed.
Yes, that is why the status of the bug is "new" instead of "resolved" with a resolution of "fixed."
Whiteboard: [verif?] → [verif?][site:wiki.mozilla.org]
This appears to be fixed. The FCKeditor doesn't seem to be present anymore, likely removed during the recent wikimo upgrades.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Does not qualify for a bounty, wiki.mozilla.org is not a covered site (3rd party software, developer-oriented site).
Flags: sec-bounty? → sec-bounty-
Whiteboard: [verif?][site:wiki.mozilla.org] → [site:wiki.mozilla.org]
Group: websites-security
You need to log in before you can comment on or make changes to this bug.