Closed Bug 966734 Opened 10 years ago Closed 10 years ago

persistent xss in wiki.mozilla.org on svg attachments

Categories

(Websites :: wiki.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 767167

People

(Reporter: netfuzzerr, Unassigned)

References

()

Details

(Keywords: sec-other)

Attachments

(2 files)

Attached image screenshot.PNG
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36

Steps to reproduce:

Hi,

I have found a persistent xss vulnerability on https://wiki.mozilla.org/ that allows attackers steal user's cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains "xmlns=http://www.w3.org/1999/xhtml", then the page will render the content of the xml as html , so resulting on a xss vulnerability.

PoC: https://wiki.mozilla.org/images/8/83/File34214.svg

I'm able to reproduce this xss on Chrome, Firefox and Opera.

Reproduce:
1. While logged on wiki.mozilla.org go to https://wiki.mozilla.org/Special:Upload
2. upload the poc.svg(it's attached on this report)
3. after click in "Upload File".
4. after uploaded the file click in its name to open it.
5. see the xss alert.

I'm attaching a screenshot of the vulnerability on Chrome.

Also, I wonder know if this bug can be eligible for a bug bounty? 

Cheers,
Mario
Attached image poc.svg
This bug suppose to be a duplicate of 767167, but on comment 10 ( https://bugzilla.mozilla.org/show_bug.cgi?id=767167#c10 ) , chris said that the bug is a duplicate of a fixed issue on the mediawiki release. But, as the wiki.mozilla.org uses the last version of mediawiki and the vulnerability still working, 'cause that i'm reporting it again.
We'll need to check this, clearly, but if it is a MediaWIki bug then that is where you'd need to progress the matter. As it does not appear to be a Mozilla issue therefore a bounty would not be applicable.
That's what I don't understand. Why mozilla doesn't pay for issue in third-party apps in their sites , 
as doesn't matter if it's third-party or not the vulnerability put user in risk. As it's a persistent xss victim doesn't need to go to a special created url , just need to see a attachment or see a page that has a hidden iframe to the xssed wiki attachment.

(In reply to Alison Wheeler [:AlisonW] from comment #3)
> We'll need to check this, clearly, but if it is a MediaWIki bug then that is
> where you'd need to progress the matter. As it does not appear to be a
> Mozilla issue therefore a bounty would not be applicable.
We sometimes pay bounties for open source projects that we use that don't have or can't afford their own bounty program. In this case media wiki has their own bounty (http://www.mediawiki.org/wiki/Bounty) and that is the appropriate place to seek one. We don't feel our program should be responsible for every piece of software.

I also don't believe we are on the current release of MediaWiki, we'll have to investigate this more to see what is required to fix.
It's ok then , i'll report it to them right.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
The issue is confirmed, I'm marking up the bug with the appropriate tags, but marking it bounty - as this is not a qualifying bug.
Flags: sec-bounty-
Whiteboard: [site:wiki.mozilla.org][reporter-external]
Yeah, you're using the last mediawiki release. 
see the source of page 

"""	<meta name="generator" content="MediaWiki 1.19.11" /> """


(In reply to Curtis Koenig [:curtisk] from comment #5)
> We sometimes pay bounties for open source projects that we use that don't
> have or can't afford their own bounty program. In this case media wiki has
> their own bounty (http://www.mediawiki.org/wiki/Bounty) and that is the
> appropriate place to seek one. We don't feel our program should be
> responsible for every piece of software.
> 
> I also don't believe we are on the current release of MediaWiki, we'll have
> to investigate this more to see what is required to fix.
Whiteboard: [site:wiki.mozilla.org][reporter-external]
Adding Chris Steipp from the WMF.
btw, the mediawiki isn't a "bug bounty", it's more a "feature bounty" people give bounties for who develope something. So, as mozilla won't pay me anything by this flaw so please don't contact mediawiki about this flaw yet. I'll sell this vuln to a vuln broker to him report it to mediawiki.

(In reply to Curtis Koenig [:curtisk] from comment #7)
> The issue is confirmed, I'm marking up the bug with the appropriate tags,
> but marking it bounty - as this is not a qualifying bug.
Reopening.

(In reply to Mario Gomes from comment #10)
> So, as mozilla won't pay me
> anything by this flaw so please don't contact mediawiki about this flaw yet.
> I'll sell this vuln to a vuln broker to him report it to mediawiki.

Just because you haven't gotten money for reporting the bug doesn't make it invalid.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Yeah, it does. As I said before I WILL REPORT THIS VULNERABILITY TO MEDIAWIKI BY MYSELF(WILL SELL IT TO A VULN BROKER TO HIM REPORT IT TO MEDIAWIKI).

Do anything you want on with this bug, just DON'T REPORT IT TO MEDIAWIKI! THAT'S MY FINDING! As Mozilla didn't pay me anything! YOU DON'T HAVE RIGHT TO DO SO!

(In reply to Mark A. Hershberger (hexmode) from comment #11)
> Reopening.
> 
> (In reply to Mario Gomes from comment #10)
> > So, as mozilla won't pay me
> > anything by this flaw so please don't contact mediawiki about this flaw yet.
> > I'll sell this vuln to a vuln broker to him report it to mediawiki.
> 
> Just because you haven't gotten money for reporting the bug doesn't make it
> invalid.
er .. .Mario, Open Source software is about sharing the wealth, and skillsets of those involved, it is not about people making money directly. As such - again - thank you for raising this issue but we shall do with that information what we choose to.

You chose to voluntarily offer the original report. I choose to voluntarily ensure that the MediaWiki folks are aware of (a) this bug, and (b) your attitude to Open Source. 

Have a nice day.
media wiki should be able to deal with this and we'll update media-wiki when they fix, do you have an upstream bug number for media wiki
Status: REOPENED → NEW
Flags: needinfo?(netfuzzerr)
Keywords: sec-other
Yes, I do. See https://bugzilla.wikimedia.org/show_bug.cgi?id=61278.

(In reply to Curtis Koenig [:curtisk] from comment #14)
> media wiki should be able to deal with this and we'll update media-wiki when
> they fix, do you have an upstream bug number for media wiki
Flags: needinfo?(netfuzzerr)
Chris, can I get access to the upstream bug?

https://bugzilla.wikimedia.org/show_bug.cgi?id=61278
Flags: needinfo?(csteipp)
(In reply to Gordon P. Hemsley [:GPHemsley] from comment #17)
> Chris, can I get access to the upstream bug?
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=61278

This upstream bug is just a dupe of another upstream:

https://bugzilla.wikimedia.org/show_bug.cgi?id=60771

Which makes this a dupe of bug 767167, which has already been fixed by bug 1032351.
Group: websites-security
Status: NEW → RESOLVED
Closed: 10 years ago10 years ago
Flags: needinfo?(csteipp)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: