Closed
Bug 966734
Opened 10 years ago
Closed 10 years ago
persistent xss in wiki.mozilla.org on svg attachments
Categories
(Websites :: wiki.mozilla.org, defect)
Websites
wiki.mozilla.org
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 767167
People
(Reporter: netfuzzerr, Unassigned)
References
()
Details
(Keywords: sec-other)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36 Steps to reproduce: Hi, I have found a persistent xss vulnerability on https://wiki.mozilla.org/ that allows attackers steal user's cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains "xmlns=http://www.w3.org/1999/xhtml", then the page will render the content of the xml as html , so resulting on a xss vulnerability. PoC: https://wiki.mozilla.org/images/8/83/File34214.svg I'm able to reproduce this xss on Chrome, Firefox and Opera. Reproduce: 1. While logged on wiki.mozilla.org go to https://wiki.mozilla.org/Special:Upload 2. upload the poc.svg(it's attached on this report) 3. after click in "Upload File". 4. after uploaded the file click in its name to open it. 5. see the xss alert. I'm attaching a screenshot of the vulnerability on Chrome. Also, I wonder know if this bug can be eligible for a bug bounty? Cheers, Mario
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Comment 2•10 years ago
|
||
This bug suppose to be a duplicate of 767167, but on comment 10 ( https://bugzilla.mozilla.org/show_bug.cgi?id=767167#c10 ) , chris said that the bug is a duplicate of a fixed issue on the mediawiki release. But, as the wiki.mozilla.org uses the last version of mediawiki and the vulnerability still working, 'cause that i'm reporting it again.
Comment 3•10 years ago
|
||
We'll need to check this, clearly, but if it is a MediaWIki bug then that is where you'd need to progress the matter. As it does not appear to be a Mozilla issue therefore a bounty would not be applicable.
Reporter | ||
Comment 4•10 years ago
|
||
That's what I don't understand. Why mozilla doesn't pay for issue in third-party apps in their sites , as doesn't matter if it's third-party or not the vulnerability put user in risk. As it's a persistent xss victim doesn't need to go to a special created url , just need to see a attachment or see a page that has a hidden iframe to the xssed wiki attachment. (In reply to Alison Wheeler [:AlisonW] from comment #3) > We'll need to check this, clearly, but if it is a MediaWIki bug then that is > where you'd need to progress the matter. As it does not appear to be a > Mozilla issue therefore a bounty would not be applicable.
We sometimes pay bounties for open source projects that we use that don't have or can't afford their own bounty program. In this case media wiki has their own bounty (http://www.mediawiki.org/wiki/Bounty) and that is the appropriate place to seek one. We don't feel our program should be responsible for every piece of software. I also don't believe we are on the current release of MediaWiki, we'll have to investigate this more to see what is required to fix.
Reporter | ||
Comment 6•10 years ago
|
||
It's ok then , i'll report it to them right.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
The issue is confirmed, I'm marking up the bug with the appropriate tags, but marking it bounty - as this is not a qualifying bug.
Updated•10 years ago
|
Flags: sec-bounty-
Whiteboard: [site:wiki.mozilla.org][reporter-external]
Reporter | ||
Comment 8•10 years ago
|
||
Yeah, you're using the last mediawiki release. see the source of page """ <meta name="generator" content="MediaWiki 1.19.11" /> """ (In reply to Curtis Koenig [:curtisk] from comment #5) > We sometimes pay bounties for open source projects that we use that don't > have or can't afford their own bounty program. In this case media wiki has > their own bounty (http://www.mediawiki.org/wiki/Bounty) and that is the > appropriate place to seek one. We don't feel our program should be > responsible for every piece of software. > > I also don't believe we are on the current release of MediaWiki, we'll have > to investigate this more to see what is required to fix.
Whiteboard: [site:wiki.mozilla.org][reporter-external]
Comment 9•10 years ago
|
||
Adding Chris Steipp from the WMF.
Reporter | ||
Comment 10•10 years ago
|
||
btw, the mediawiki isn't a "bug bounty", it's more a "feature bounty" people give bounties for who develope something. So, as mozilla won't pay me anything by this flaw so please don't contact mediawiki about this flaw yet. I'll sell this vuln to a vuln broker to him report it to mediawiki. (In reply to Curtis Koenig [:curtisk] from comment #7) > The issue is confirmed, I'm marking up the bug with the appropriate tags, > but marking it bounty - as this is not a qualifying bug.
Comment 11•10 years ago
|
||
Reopening. (In reply to Mario Gomes from comment #10) > So, as mozilla won't pay me > anything by this flaw so please don't contact mediawiki about this flaw yet. > I'll sell this vuln to a vuln broker to him report it to mediawiki. Just because you haven't gotten money for reporting the bug doesn't make it invalid.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Reporter | ||
Comment 12•10 years ago
|
||
Yeah, it does. As I said before I WILL REPORT THIS VULNERABILITY TO MEDIAWIKI BY MYSELF(WILL SELL IT TO A VULN BROKER TO HIM REPORT IT TO MEDIAWIKI). Do anything you want on with this bug, just DON'T REPORT IT TO MEDIAWIKI! THAT'S MY FINDING! As Mozilla didn't pay me anything! YOU DON'T HAVE RIGHT TO DO SO! (In reply to Mark A. Hershberger (hexmode) from comment #11) > Reopening. > > (In reply to Mario Gomes from comment #10) > > So, as mozilla won't pay me > > anything by this flaw so please don't contact mediawiki about this flaw yet. > > I'll sell this vuln to a vuln broker to him report it to mediawiki. > > Just because you haven't gotten money for reporting the bug doesn't make it > invalid.
Comment 13•10 years ago
|
||
er .. .Mario, Open Source software is about sharing the wealth, and skillsets of those involved, it is not about people making money directly. As such - again - thank you for raising this issue but we shall do with that information what we choose to. You chose to voluntarily offer the original report. I choose to voluntarily ensure that the MediaWiki folks are aware of (a) this bug, and (b) your attitude to Open Source. Have a nice day.
media wiki should be able to deal with this and we'll update media-wiki when they fix, do you have an upstream bug number for media wiki
Reporter | ||
Comment 15•10 years ago
|
||
Yes, I do. See https://bugzilla.wikimedia.org/show_bug.cgi?id=61278. (In reply to Curtis Koenig [:curtisk] from comment #14) > media wiki should be able to deal with this and we'll update media-wiki when > they fix, do you have an upstream bug number for media wiki
Flags: needinfo?(netfuzzerr)
Comment 17•10 years ago
|
||
Chris, can I get access to the upstream bug? https://bugzilla.wikimedia.org/show_bug.cgi?id=61278
Flags: needinfo?(csteipp)
Comment 18•10 years ago
|
||
(In reply to Gordon P. Hemsley [:GPHemsley] from comment #17) > Chris, can I get access to the upstream bug? > > https://bugzilla.wikimedia.org/show_bug.cgi?id=61278 This upstream bug is just a dupe of another upstream: https://bugzilla.wikimedia.org/show_bug.cgi?id=60771 Which makes this a dupe of bug 767167, which has already been fixed by bug 1032351.
Group: websites-security
Status: NEW → RESOLVED
Closed: 10 years ago → 10 years ago
Flags: needinfo?(csteipp)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•