Closed Bug 946315 Opened 11 years ago Closed 11 years ago

plugin vulnerabie to xss

Categories

(Developer Engagement :: Mozilla Hacks, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: curtisk, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [site:hacks.mozilla.org][reporter-external])

Attachments

(1 file)

Attached image xss.png
Received: by 10.50.140.5 with HTTP; Wed, 4 Dec 2013 09:21:42 -0800 (PST) Date: Wed, 4 Dec 2013 22:51:42 +0530 Subject: Vulnerable Plugin (XSS) From: prayas kulshrestha <prayas.kulshresth@gmail.com> To: Mozilla Security <security@mozilla.org> -----//----- Hi, I would like to inform you about the vulnerable plugin is used in one of the important sub domain of the Mozilla that is hacks.Mozilla.org below is the screen shot for the same <xss.png> Reference Link for confirmation : http://security-sh3ll.blogspot.in/2011/12/google-recaptcha-wordpress-plugin.html this website comes even Google index one will use he dork like Google dork: inurl:rcommentid= error= site:mozilla.org Result : https://www.google.co.in/search?q=inurl:rcommentid%3D+error%3D&ie=utf-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&gws_rd=cr&ei=MGSfUq7fMoWErAfF0oG4Dw#q=inurl:rcommentid%3D+error%3D++site%3Amozilla.org&rls=org.mozilla:en-US%3Aofficial Thank You ----- Regards Prayas Kulshrestha
Flags: sec-bounty?
assigning to Jake, can we get this plugin fixed or remove?
Assignee: nobody → nmaul
while i have updated this plugin in bug 946861, i want to remind the group it was *NOT* an activated plugin on hacks.mozilla.org.
Does not qualify for a bug bounty because this was disabled and there is no evidence (e.g. POC link) the reporter could actually trigger an XSS on the site.
Component: Other → Mozilla Hacks
Flags: sec-bounty? → sec-bounty-
Product: Websites → Mozilla Developer Network
Unsetting myself and closing... seems like this was resolved in the dependent bug? I don't see any reason to keep this open.
Assignee: nmaul → nobody
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Product: Mozilla Developer Network → Developer Engagement
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: