Status

RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: curtisk, Unassigned)

Tracking

({sec-high, wsec-xss})

unspecified
sec-high, wsec-xss
Dependency tree / graph
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:wiki.mozilla.org][reporter-external])

Received: by 10.66.41.17 with HTTP; Thu, 30 May 2013 07:29:47 -0700 (PDT)
Date: Thu, 30 May 2013 19:59:47 +0530
Subject: Stored XSS in wiki.mozilla.com
From: Siddhesh Gawde <coolsiddheshgawade@gmail.com>
To: Mozilla Security <security@mozilla.org>
-----//-----
I have found an Stored XSS in wiki.mozilla.org

Poc:

Go to-->https://wiki.mozilla.org/Calendar:Bugzilla_Keywords,_Whiteboard_Tags,_and_Flags#Keywords_for_help_requests
(or any other page)
Go to edit tab which is on right hand side
In that change the first link with the vector (only title links are injectible)

<var onmouseover="prompt(1)">On Mouse Over</var>

Pic: http://gyazo.com/455ac2534114814cd646512063db6c77

Then save the page , then just move the mouse over the  "On Mouse
Over" text and you will get alert immediately.
Pic: http://gyazo.com/ca811184e8c96297e4598f874f9d6237

As this vector is stored in the page it is stored XSS.
There is no other protection ,any registered can make changes to the
source code of the site.

Thank you !
assigned to pauljt to verify
Assignee: nobody → ptheriault
Whiteboard: [site:wiki.mozilla.org][verif?]
Confirmed on https://wiki.allizom.org/Testing/fakepage#title
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: 835501
Keywords: sec-critical
Whiteboard: [site:wiki.mozilla.org][verif?] → [site:wiki.mozilla.org]
Assignee: ptheriault → nobody
Flags: sec-bounty?
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org][reporter-external]
wiki.mozilla.org is not one of the eligible bounty sites, Wikis are unfortunately made to be defaced.
Flags: sec-bounty? → sec-bounty-
Keywords: sec-critical → sec-high, wsec-xss
Don't we attempt to filter out JS from any inputted HTML? Where are we going wrong?

Gerv

Comment 5

5 years ago
The JS was getting filtered in the sub paragraph ,only the title was injectible.
Duplicate of this bug: 902963
This seems like a bug that should be filed upstream. I can still reproduce this on our current version of MediaWiki.

Comment 9

4 years ago
Thanks for the report! This is the first time I've seen this.

This isn't in core, so I'll need to dig through all the extensions you have to see which one is causing this. I just requested an account on allizom so I can see the reproduction, in case anyone where is able to help with that?
(In reply to csteipp from comment #9)
> Thanks for the report! This is the first time I've seen this.
> 
> This isn't in core, so I'll need to dig through all the extensions you have
> to see which one is causing this. I just requested an account on allizom so
> I can see the reproduction, in case anyone where is able to help with that?

Account approved on stage. FWIW, dev is at a different URL and will require a separate account confirmation. However, you can skip all the biographical data this time. :)
Any progress on tracking this down?
Flags: needinfo?(csteipp)
This is no longer reproducible. We removed the SemanticHTML extension in February that very likely could have been the source for this, and which has long been known to be insecure.
Group: websites-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Depends on: 1133359
Flags: needinfo?(csteipp)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.