Why don't you comment here?
assigned to paultjt for verification https://wiki.mozilla.org/Security/Web_Bug_Rotation#Web_Bug_Verification
Assignee: jypenator → ptheriault
I'm having trouble reproducing this on developer.allizom.org. There definitely seems to be some kind of injection here, but I am not seeing the script injection. I do however seem to be seeing the <meta> tag injection but load is getting denied due to x-frame options. Muhammed, from your description, it sounds like you are only able to XSS yourself if I understand you correctly - i.e. you enter malicious HTML, and it gets rendered straight away, but only against yourself. Is the malicious script actually stored in the edited page? (i.e. can you get the xss to be stored, such that you can then send a MDN link to another person to a page that contains the malicious script?) If you have seen it stored, could you send me a link to such a page? I'm continuing to investigate and I'll post more when I know more.
Thanks for the update Muhammed. You are right that it would be better if the editor didn't render entered script - I don't think it is too serious an issue, but it would be nice to fix. I suspect though that this is just a fckeditor issue, and we would be reliant on a fix in the upstream code. As for bypassing the filtering with <meta>, I think this is intended, since editors need to be able to insert redirects when pages are renamed (so that the user automatically get forwarded to the new page). Since we sanitize the URL, and make sure that the redirect is always on developer.mozilla.org, I don't think this is exploitable at the moment. If however you found a way to bypass the sanitization of the URL parameter to the meta tag so that you could inject a script URL this would definitely be an issue (might be an area to do more research in if you are interested) Thanks for your help either way though.
Thanks for the reply, Yes! I should do more research on this to exploit it in another way, don't you have any option to fix this bug? I've doubt whether this is eligible for bounty ?
Whiteboard: [site:developer.mozilla.org][verif?] → [site:developer.mozilla.org]
Sorry i didn't get the comment you published guys :\
develeper.mozilla.org is not in scope for the bug bounty at this time.
Flags: sec-bounty? → sec-bounty-
Whiteboard: [site:developer.mozilla.org] → [site:developer.mozilla.org][reporter-external]
But already they told like even though some other sites doesn't come under bug bounty still we consider So can you check and get back to me :-(
AFAIK, we only consider bounties for out-of-scope sites in extraordinary cases where it is a interesting/dangerous bug. As this isn't actually an exploitable vulnerability, I don't think it would qualify for such a bounty.
Assignee: jypenator → nobody
Component: HTML → Wiki pages
Product: Developer Documentation → Mozilla Developer Network
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
You need to log in before you can comment on or make changes to this bug.