Page MenuHomePhabricator

Ex:SemanticForms - Stored XSS in CreateForm + hostile template
Closed, ResolvedPublic


  1. Use Special:CreateTemplate to create a template
  2. Add "<script>alert(1);</script>" to the Field name.
  3. Go to Special:CreateForm, and add the template to the form
  4. Script is executed

It looks like Special:CreateTemplate can be called by anyone.

The Special:CreateForm post to add the template doesn't check the csrf token, so it can be submitted for a user via csrf.

Event Timeline

csteipp assigned this task to Yaron_Koren.
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Grunny.

For some reason I only saw this now. I just checked in a change that I believe fixes this issue. (Not for Special:CreateTemplate - it's not a big deal that it's allowing bad input, since malicious users can just create a bad template directly - but for Special:CreateForm.)

Confirmed it's fixed in master

csteipp added a parent task: Restricted Task.Aug 7 2015, 6:37 PM
csteipp added a subscriber: ProgramCeltic.
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:58 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.