Closed Bug 890876 Opened 12 years ago Closed 12 years ago

HTML Inclusion vuln

Categories

(support.mozilla.org :: Forum, task)

Product:
support.mozilla.org
Component:
Forum
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: curtisk, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [site:support.mozilla.org][reporter-external])

Received: by 10.52.26.196 with HTTP; Fri, 5 Jul 2013 02:36:54 -0700 (PDT) Date: Fri, 5 Jul 2013 15:06:54 +0530 Subject: HTML Inclusion on support.mozilla.org From: Muhammed Gazzaly <gazblotz@gmail.com> To: security@mozilla.org -----//----- Hi, I found HTML Inclusion vuln. on Mozilla.org support forum Please fix and let me know whether i'm eligible for bug bounty :) URL : https://support.mozilla.org/en-US/questions/964066#answer-453133 Injected code : <img src="imge+path.jpg" > Thanks in advanced :) -- With Regards J.M.Gazzaly
confirmed
Flags: sec-bounty?
Whiteboard: [site:webmaker.org][reporter-external]
Whiteboard: [site:webmaker.org][reporter-external] → [site:support.mozilla.org][reporter-external]
Looks like this affects support.mozilla.org, so putting it in that product. cc:ing Ricky so he can see it.
Component: other.mozilla.org → Forum
Product: Websites → support.mozilla.org
The url in the description is no longer there, so it's kind of hard to know what the issue here is. Further, I'm not entirely sure this is the same issue as bug #890924 which involved the preview. This doesn't seem to involve the image preview. It's possible this bug is the same as the bug we fixed last week (bug #886114). Curtis: Why'd you mark this as a duplicate?
(In reply to Will Kahn-Greene [:willkg] from comment #4) > The url in the description is no longer there, so it's kind of hard to know > what the issue here is. > > Further, I'm not entirely sure this is the same issue as bug #890924 which > involved the preview. This doesn't seem to involve the image preview. It's > possible this bug is the same as the bug we fixed last week (bug #886114). > > Curtis: Why'd you mark this as a duplicate? I marked another bug as a duplicate not this bug, 2 different people reported the same thing to sec@ this morning. I will admit comment 0 from the duped bug has better repro steps. ---copied--- reated attachment 772071 [details] Vectors - Copy.txt User Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release) Build ID: 20130511120803 Steps to reproduce: Hello, Simply create a new thread at this url https://support.mozilla.org/en-US/forums/contributors/new and Enter any title and in body (CONTENT ) : simply type the following code and Click on Preview Button and you will observe there lot of iframe and external resources are embedded in it scroll down to see , it means it is HTML injection and can be abused . Code to Paste in Content :: I could not paste the long text here , so i have attached a file called vectors Copy .txt simply , open it and Copy all codes from there and Click on Preview Button to see the HTML injection result by scrolling down . Actual results: Yes, this is html injection and user input is not validated. However this might be abused in improper and malicious way . Expected results: HTML tags and script tags must be sanitized properly with proper validation and encoding method to prevent HTML injection .
wait, I see what your asking… I marked it as dupe as I thought there were the same, if I am incorrect then please correct my mistake.
Curtis: Sorry about that. I'm sort of in a fog and my ability to communicate is meh this morning. I'm going to un-dupe bug #890924 now. I think that's a separate issue. There isn't enough data in this one to infer what's going on and the url kicks up a 404. I think we need STR. cc:ing Ricky in case he can infer more.
We allow images in our posts (<img/> is whitelisted). Why is this a security issue?
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
(In reply to Ricky Rosario [:rrosario, :r1cky] from comment #8) > We allow images in our posts (<img/> is whitelisted). Why is this a security > issue? While img tags are allowed other bugs seem to indicate we may have other tags allowed as well. I agree that this bug appears to be incomplete in terms of repro steps now so unless we get more data from the reporter closing this invalid seems the correct course of action.
Flags: sec-bounty?
Flags: needinfo?(rrosario)
Flags: sec-bounty-
Curtis: Why'd you flag needinfo? on Ricky? What's outstanding here?
(In reply to Will Kahn-Greene [:willkg] from comment #10) > Curtis: Why'd you flag needinfo? on Ricky? What's outstanding here? Wil: I was raising the question of checking to ensure we don't allow other tags (other than the allowed img tag) that could also trigger this vuln. Yes the reporter used img that we support but are other tags that should not be supported allowed and thus still allowing this vuln to be active. I'm just trying to ensure we cover the bases here.
if u want any info , pls tell me , why u flagged need info iframe n embedded tags are harmful !!! if I can help let me know
if u want any info , pls tell me , why u flagged need info iframe n embedded tags are harmful !!! if I can help let me know
Flags: needinfo?(rrosario)
(In reply to Mahadev Subedi from comment #12) > if u want any info , pls tell me , why u flagged need info iframe n embedded > tags are harmful !!! if I can help let me know The need-info flag is the indication that we need/want more information and specifically from whom, (in this case, rrosario).
Flags: needinfo?(rrosario)
<img/> tags aren't the only tags we allow. see: https://github.com/mozilla/kitsune/blob/master/kitsune/sumo/parser.py#L34 and https://github.com/pcraciunoiu/py-wikimarkup/blob/master/wikimarkup/parser.py#L430 Was there an expectation that HTML wasn't allowed on our wiki?
Flags: needinfo?(rrosario)
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.