Received: by 10.66.41.17 with HTTP; Thu, 30 May 2013 07:29:47 -0700 (PDT) Date: Thu, 30 May 2013 19:59:47 +0530 Subject: Stored XSS in wiki.mozilla.com From: Siddhesh Gawde <email@example.com> To: Mozilla Security <firstname.lastname@example.org> -----//----- I have found an Stored XSS in wiki.mozilla.org Poc: Go to-->https://wiki.mozilla.org/Calendar:Bugzilla_Keywords,_Whiteboard_Tags,_and_Flags#Keywords_for_help_requests (or any other page) Go to edit tab which is on right hand side In that change the first link with the vector (only title links are injectible) <var onmouseover="prompt(1)">On Mouse Over</var> Pic: http://gyazo.com/455ac2534114814cd646512063db6c77 Then save the page , then just move the mouse over the "On Mouse Over" text and you will get alert immediately. Pic: http://gyazo.com/ca811184e8c96297e4598f874f9d6237 As this vector is stored in the page it is stored XSS. There is no other protection ,any registered can make changes to the source code of the site. Thank you !
assigned to pauljt to verify
Assignee: nobody → ptheriault
Confirmed on https://wiki.allizom.org/Testing/fakepage#title
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [site:wiki.mozilla.org][verif?] → [site:wiki.mozilla.org]
5 years ago
Assignee: ptheriault → nobody
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org][reporter-external]
wiki.mozilla.org is not one of the eligible bounty sites, Wikis are unfortunately made to be defaced.
Flags: sec-bounty? → sec-bounty-
Keywords: sec-critical → sec-high, wsec-xss
Don't we attempt to filter out JS from any inputted HTML? Where are we going wrong? Gerv
The JS was getting filtered in the sub paragraph ,only the title was injectible.
5 years ago
Duplicate of this bug: 902963
This seems like a bug that should be filed upstream. I can still reproduce this on our current version of MediaWiki.
Thanks for the report! This is the first time I've seen this. This isn't in core, so I'll need to dig through all the extensions you have to see which one is causing this. I just requested an account on allizom so I can see the reproduction, in case anyone where is able to help with that?
(In reply to csteipp from comment #9) > Thanks for the report! This is the first time I've seen this. > > This isn't in core, so I'll need to dig through all the extensions you have > to see which one is causing this. I just requested an account on allizom so > I can see the reproduction, in case anyone where is able to help with that? Account approved on stage. FWIW, dev is at a different URL and will require a separate account confirmation. However, you can skip all the biographical data this time. :)
Any progress on tracking this down?
This is no longer reproducible. We removed the SemanticHTML extension in February that very likely could have been the source for this, and which has long been known to be insecure.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Depends on: 1133359
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.