Page MenuHomePhabricator

Ex:SemanticForms - Stored XSS in template label on Special:FormEdit
Closed, ResolvedPublic

Description

  1. Create a form and add <script> tag in the "Template label (optional):" field
  2. Visit Special:FormEdit/<templatename>/<anypage>
  3. Script executes

Event Timeline

csteipp created this task.Jun 24 2015, 11:47 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Needs Triage.
csteipp assigned this task to Yaron_Koren.
csteipp added a project: Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp added subscribers: Grunny, Aklapper, csteipp.

Naive patch

dpatrick set Security to None.

For some reason I only saw this now. Thanks for the patch! I just checked in this change.

That was https://gerrit.wikimedia.org/r/#/c/222030

@Yaron_Koren, for future patches on security bugs, it would be great if you could comment here if you think the patch looks good, or needs an improvement. Then we can deploy (secretly) to our cluster before making the patch public in gerrit.

@csteipp - okay, I can do that.

csteipp added a subscriber: mmodell.Jul 1 2015, 5:34 AM

Deployed https://gerrit.wikimedia.org/r/#/c/222030 as a security patch for wikitech. @mmodell, since the patch is in master, it will be included with wmf13. But wmf11 and 12 are patched.

@csteipp thanks, can we close this then?

csteipp closed this task as Resolved.Jul 7 2015, 11:42 PM
csteipp added a parent task: Restricted Task.Aug 7 2015, 6:38 PM
csteipp added a subscriber: ProgramCeltic.
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:58 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".

CVE-2015-6732 was assigned for this and T103761.