Bug 5283

Summary: Security vulnerability impacting 404 Not Found handler code
Product: Infrastructure Reporter: Geeknik Labs <geeknik>
Component: WebsitesAssignee: Nicolas Chauvet <kwizart>
Status: RESOLVED FIXED    
Severity: major CC: lxtnow, matthias
Priority: P1    
Version: NA   
Hardware: All   
OS: GNU/Linux   
URL: https://rpmfusion.org/1337"><noscript><p title="</noscript><img src=x onerror=confirm(document.domain)>">
namespace:
Attachments: XSS

Description Geeknik Labs 2019-06-04 16:43:53 CEST 
Created attachment 2050 [details]
XSS

Good morning, I hope this message finds you well. We discovered a cross-site scripting (XSS) flaw in the 404 Not Found error handling code on "rpmfusion.org". 

This flaw allows attackers to pass rogue JavaScript to unsuspecting users. The user’s browser has no way to know the script should not be trusted, so it will execute the script and because the browser thinks the script came from a trusted source, aka your website, a malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with your site. These scripts can even rewrite the content of the HTML page.

To demonstrate this on your website, paste everything from the following line into the Firefox web browser and you'll see a harmless JavaScript alert box pop up which contains your domain name:

https://rpmfusion.org/1337"><noscript><p title="</noscript><img src=x onerror=confirm(document.domain)>">

Please see the OWASP XSS Prevention Cheat Sheet located at https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md for further information on remediation.

Thank you.
Comment 1 Nicolas Chauvet 2019-06-04 21:38:18 CEST 
Is there a report to the upstream moin project ?
Comment 2 Geeknik Labs 2019-06-04 23:17:44 CEST 
No, I haven’t made any other reports about this.
Comment 3 Xavier Lamien 2019-06-18 17:09:49 CEST 
Hi, so from what I see now, the expected title and and img are not showing up from using firefox.
Note that, from a chrome browser or opera, the page is blocked compare to firefox which filters out the script attack.

Please let me know if that's what you see your side.
Comment 4 Nicolas Chauvet 2019-06-18 17:56:37 CEST 
@Xavier,
I confirm that I cannot reproduce with chromium/chrome, but I can still reproduce with firefox-67.0.4 (from fc29)

Is this a firefox issue ?
Comment 5 Geeknik Labs 2019-06-18 18:01:02 CEST 
No, it is not a Firefox issue. Chromium based browsers have an XSS Auditor built in that blocks certain types of XSS. Mozilla doesn't want to waste their time keeping that kind of code updated and rumor has it that Chromium and Chrome will soon lose the XSS Auditor code as well.
Comment 6 Nicolas Chauvet 2019-07-01 11:04:45 CEST 
I think I've fixed the issue in our theme that was caused by a missing escape in one of the functions that was redefined from the base constructor.

I've audited others functions and they looks all escaped as appropriate.

Can you confirm that the issue is also fixed on your side ?
Comment 7 Nicolas Chauvet 2019-07-01 16:37:29 CEST 
Seems fixed, please re-open if you feel it's not the case.
Thx for the report.