Closed
Bug 878214
Opened 11 years ago
Closed 9 years ago
stored xss in Wiki.m.o
Categories
(Websites :: wiki.mozilla.org, defect)
Websites
wiki.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: curtisk, Unassigned)
References
Details
(Keywords: sec-high, wsec-xss, Whiteboard: [site:wiki.mozilla.org][reporter-external])
Received: by 10.66.41.17 with HTTP; Thu, 30 May 2013 07:29:47 -0700 (PDT) Date: Thu, 30 May 2013 19:59:47 +0530 Subject: Stored XSS in wiki.mozilla.com From: Siddhesh Gawde <coolsiddheshgawade@gmail.com> To: Mozilla Security <security@mozilla.org> -----//----- I have found an Stored XSS in wiki.mozilla.org Poc: Go to-->https://wiki.mozilla.org/Calendar:Bugzilla_Keywords,_Whiteboard_Tags,_and_Flags#Keywords_for_help_requests (or any other page) Go to edit tab which is on right hand side In that change the first link with the vector (only title links are injectible) <var onmouseover="prompt(1)">On Mouse Over</var> Pic: http://gyazo.com/455ac2534114814cd646512063db6c77 Then save the page , then just move the mouse over the "On Mouse Over" text and you will get alert immediately. Pic: http://gyazo.com/ca811184e8c96297e4598f874f9d6237 As this vector is stored in the page it is stored XSS. There is no other protection ,any registered can make changes to the source code of the site. Thank you !
Reporter | ||
Comment 1•11 years ago
|
||
assigned to pauljt to verify
Assignee: nobody → ptheriault
Whiteboard: [site:wiki.mozilla.org][verif?]
Comment 2•11 years ago
|
||
Confirmed on https://wiki.allizom.org/Testing/fakepage#title
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•11 years ago
|
Keywords: sec-critical
Whiteboard: [site:wiki.mozilla.org][verif?] → [site:wiki.mozilla.org]
Reporter | ||
Updated•11 years ago
|
Assignee: ptheriault → nobody
Flags: sec-bounty?
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org][reporter-external]
Comment 3•11 years ago
|
||
wiki.mozilla.org is not one of the eligible bounty sites, Wikis are unfortunately made to be defaced.
Flags: sec-bounty? → sec-bounty-
Comment 4•11 years ago
|
||
Don't we attempt to filter out JS from any inputted HTML? Where are we going wrong? Gerv
The JS was getting filtered in the sub paragraph ,only the title was injectible.
Comment 8•10 years ago
|
||
This seems like a bug that should be filed upstream. I can still reproduce this on our current version of MediaWiki.
Thanks for the report! This is the first time I've seen this. This isn't in core, so I'll need to dig through all the extensions you have to see which one is causing this. I just requested an account on allizom so I can see the reproduction, in case anyone where is able to help with that?
Comment 10•10 years ago
|
||
(In reply to csteipp from comment #9) > Thanks for the report! This is the first time I've seen this. > > This isn't in core, so I'll need to dig through all the extensions you have > to see which one is causing this. I just requested an account on allizom so > I can see the reproduction, in case anyone where is able to help with that? Account approved on stage. FWIW, dev is at a different URL and will require a separate account confirmation. However, you can skip all the biographical data this time. :)
Comment 12•9 years ago
|
||
This is no longer reproducible. We removed the SemanticHTML extension in February that very likely could have been the source for this, and which has long been known to be insecure.
Group: websites-security
Status: NEW → RESOLVED
Closed: 9 years ago
Depends on: 1133359
Flags: needinfo?(csteipp)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•