Mojira Archive
WEB-500

Possible XSS vulnerability

When it occurs

The cross-site scripting vulnerability occurs when a fixed bug is listed on mojang.com's blog. If the summary of the issue contains angle brackets (< >), they are not properly escaped and can result in unexpected HTML tags.

What is cross-site scripting (XSS)?

Why this could be invalid

I do not know if the list of fixed bugs is generated via a template (etc), so I do not know if any code needs to be fixed, or if a human wrote the whole list of bugs and made a mistake.

If the angle brackets was simply someone forgetting to escape the angle brackets, please close this as Invalid – and I advise you to be more cautious in the future.

How I discovered this

I originally discovered this when I read the 1.10-pre1 blog post, in which MC-102575 was listed as fixed.

Notice that the angle brackets and the text in between are not present.

How this could be exploited

This vulnerability isn't very simple to exploit, as the injected code would have to be in the summary of a bug, which would look incredibly suspicious. However, one could file a valid bug with a normal summary, then edit the summary to include the malicious code right before it appears on the website – before anyone notices the fishy title. Seeing as the time at which snapshots are released is fairly predictable, this wouldn't be too hard to execute.

How this could be fixed

I don't know what language in which mojang.com is written, but in all cases, the summary of the bug should be escaped. The example below uses PHP:

Fix (PHP)
$text = filter_var($text, FILTER_SANITIZE_SPECIAL_CHARS);

This code properly escapes the variable called $text.

TL;DR

The summary of a bug, when it appears on the mojang.com website, is not properly escaped. This can cause angle brackets to be turned into HTML tags.

Thanks for reading, and hope this gets fixed soon

From WEB-533:

Example:

The "tags" of the summary of MC-106842

Target selector stops parsing its arguments if an entry is not <argument>=<value>

are taken unescaped in the bug list of https://mojang.com/2016/09/minecraft-snapshot-16w38a/

Fixed

null

[Mojang] Web Team

2016-09-06, 03:47 AM

2018-03-20, 06:18 PM

2018-01-29, 11:36 PM

0

2