Closed
Bug 946315
Opened 11 years ago
Closed 11 years ago
plugin vulnerabie to xss
Categories
(Developer Engagement :: Mozilla Hacks, task)
Developer Engagement
Mozilla Hacks
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: curtisk, Unassigned)
References
Details
(Keywords: reporter-external, Whiteboard: [site:hacks.mozilla.org][reporter-external])
Attachments
(1 file)
45.54 KB,
image/png
|
Details |
Received: by 10.50.140.5 with HTTP; Wed, 4 Dec 2013 09:21:42 -0800 (PST)
Date: Wed, 4 Dec 2013 22:51:42 +0530
Subject: Vulnerable Plugin (XSS)
From: prayas kulshrestha <prayas.kulshresth@gmail.com>
To: Mozilla Security <security@mozilla.org>
-----//-----
Hi,
I would like to inform you about the vulnerable plugin is used in one of the important sub domain of the Mozilla that is hacks.Mozilla.org
below is the screen shot for the same
<xss.png>
Reference Link for confirmation : http://security-sh3ll.blogspot.in/2011/12/google-recaptcha-wordpress-plugin.html
this website comes even Google index one will use he dork like
Google dork: inurl:rcommentid= error= site:mozilla.org
Result : https://www.google.co.in/search?q=inurl:rcommentid%3D+error%3D&ie=utf-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&gws_rd=cr&ei=MGSfUq7fMoWErAfF0oG4Dw#q=inurl:rcommentid%3D+error%3D++site%3Amozilla.org&rls=org.mozilla:en-US%3Aofficial
Thank You
-----
Regards
Prayas Kulshrestha
Flags: sec-bounty?
Reporter | ||
Comment 1•11 years ago
|
||
assigning to Jake, can we get this plugin fixed or remove?
Assignee: nobody → nmaul
Comment 2•11 years ago
|
||
while i have updated this plugin in bug 946861, i want to remind the group it was *NOT* an activated plugin on hacks.mozilla.org.
Comment 3•11 years ago
|
||
Does not qualify for a bug bounty because this was disabled and there is no evidence (e.g. POC link) the reporter could actually trigger an XSS on the site.
Component: Other → Mozilla Hacks
Flags: sec-bounty? → sec-bounty-
Product: Websites → Mozilla Developer Network
Comment 4•11 years ago
|
||
Unsetting myself and closing... seems like this was resolved in the dependent bug? I don't see any reason to keep this open.
Assignee: nmaul → nobody
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 6•9 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•7 years ago
|
Product: Mozilla Developer Network → Developer Engagement
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•