T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping (CVE-2017-8808)
Flaw
Potential XSS when $wgShowExceptionDetails = false; is set and an exception is encountered depending on client used.
Exploit
Affects
MediaWiki versions 1.29.x prior to 1.29.2 1.28.x prior to 1.28.3 1.27.x prior to 1.27.4 and unsupported branches 1.20.x, 1.21.x, 1.22.x, 1.23.x 1.24.x, 1.25.x, 1.26.x
Reference
https://phabricator.wikimedia.org/T178451
T128209: Reflected File Download from api.php (CVE-2017-8809)
Flaw
Exploit
Affects
MediaWiki versions 1.29.x prior to 1.29.2 1.28.x prior to 1.28.3 1.27.x prior to 1.27.4 and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
Reference
https://phabricator.wikimedia.org/T128209
T165846: BotPasswords doesn't throttle login attempts
Flaw
When logging in using a Bot Password, users login are not limited.
Exploit
A malicious user can repeatedly try to login via the api using a Bot Password, ignoring any warnings without any restrictions, making guessing passwords a lot easier. With the throttle in place, users are limited in the number of login attempts in a period of time.
Affects
MediaWiki versions 1.29.x prior to 1.29.2 1.28.x prior to 1.28.3 1.27.x prior to 1.27.4
Reference
https://phabricator.wikimedia.org/T165846
T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password (CVE-2017-8810)
Flaw
On a private wiki, the list of its users is also private. Error messages given upon login with an incorrect password make it possible to distinguish if a user has an account on the wiki or not.
This information should not be exposed to an anonymous user.
Exploit
A malicious user can easily find out if the account they are trying to login in as exists on the wiki. This means they can distinguish that they know the account exists, and as such, just need to work out the password.
Affects
MediaWiki versions 1.29.x prior to 1.29.2 1.28.x prior to 1.28.3 1.27.x prior to 1.27.4 and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
Reference
https://phabricator.wikimedia.org/T134100
T176247: It's possible to mangle HTML via raw message parameter expansion (CVE-2017-8811)
Flaw
When $wgExperimentalHtmlIds is set to true (false by default), certain characters in section IDs don't get percent encoded, including $ which is used for parameter substitution.
Exploit
It is possible to combine this with raw localization message parameter expansion to create malformed HTML. While escalation to full-blown XSS hasn't been demonstrated so far, it remains a possibility.
Affects
MediaWiki versions 1.29.x prior to 1.29.2 1.28.x prior to 1.28.3 1.27.x prior to 1.27.4 and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
Reference
https://phabricator.wikimedia.org/T176247
T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812)
Flaw
A wikipage with a header containing > in it, may generate a span with an id attribute that has > in it in certain (non-default) configs. This in itself is not an issue, but sometimes people try to parse the resulting html using regular expressions instead of a proper html parser. In such cases this can lead to an XSS. As a hardening measure against people doing such things, we no longer allow raw > in quoted attributes.
Affects
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814)
Flaw
Stored XSS: Language converter splits the page into components to convert based on a regular expression. Certain input can cause the regex to backtrack excessively. If the backtracking exceeds pcre.backtrack_limit, then it is possible to inject html due to incorrect splitting into translation components.
Exploit
Set $wgLangaugeCode = 'sr'; in LocalSettings.php
set pcre.backtrack_limit = 10 in php.ini
Put the following in a page
-{H|big=>sr-el:script}- foo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX <big>alert(1)</big>
View page, with url parameter variant=sr-el
Affects
MediaWiki versions
1.29.x prior to 1.29.2 1.28.x prior to 1.28.3 1.27.x prior to 1.27.4 and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815)
Flaw
In certain code paths, langauge converter glossary rules will get expanded inside attributes. This can lead to XSS on wikis that have language converter enabled
exploit
Assuming you have an image named example.png uploaded to your wiki.
Set $wgLanguageCode = 'sr';
Put on a page
-{H|abc=>sr-el:" onfocus="alert(1)" onload="alert(2)" data-foo="}- {{special:Contributions|target=-{}-abc-{}-}} [[File:Example.png|100px|alt=-{n}-abc-{}-]]
visit the page with the url parameter variant=sr-el set.
affects
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x