Page MenuHomePhabricator
Create Task
Maniphest T103765

Ex:SemanticForms - Stored XSS in template label on Special:FormEdit
Closed, ResolvedPublic
Actions

Description

  1. Create a form and add <script> tag in the "Template label (optional):" field
  2. Visit Special:FormEdit/<templatename>/<anypage>
  3. Script executes

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedYaron_KorenT103765 Ex:SemanticForms - Stored XSS in template label on Special:FormEdit

Event Timeline

csteipp created this task.Jun 24 2015, 11:47 PM
csteipp assigned this task to Yaron_Koren.
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp added subscribers: Grunny, Aklapper, csteipp.
csteipp added a comment.Jun 24 2015, 11:52 PM

Naive patch

T103765.patch961 BDownload

Krenair added projects: Security-Extensions, MediaWiki-extensions-Page_Forms.Jun 25 2015, 12:44 AM
Krenair subscribed.
dpatrick added a project: Vuln-XSS.Jun 30 2015, 9:18 PM
dpatrick set Security to None.
Yaron_Koren added a comment.Jun 30 2015, 11:18 PM

For some reason I only saw this now. Thanks for the patch! I just checked in this change.

csteipp added a comment.Jul 1 2015, 12:02 AM

That was https://gerrit.wikimedia.org/r/#/c/222030

@Yaron_Koren, for future patches on security bugs, it would be great if you could comment here if you think the patch looks good, or needs an improvement. Then we can deploy (secretly) to our cluster before making the patch public in gerrit.

Yaron_Koren added a comment.Jul 1 2015, 1:35 AM

@csteipp - okay, I can do that.

csteipp added a subscriber: mmodell.Jul 1 2015, 5:34 AM

Deployed https://gerrit.wikimedia.org/r/#/c/222030 as a security patch for wikitech. @mmodell, since the patch is in master, it will be included with wmf13. But wmf11 and 12 are patched.

mmodell added a comment.Jul 7 2015, 7:06 PM

@csteipp thanks, can we close this then?

csteipp closed this task as Resolved.Jul 7 2015, 11:42 PM
csteipp added a parent task: Restricted Task.Aug 7 2015, 6:38 PM
csteipp added a subscriber: ProgramCeltic.
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:58 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
Krenair added a comment.Aug 31 2015, 1:05 AM

CVE-2015-6732 was assigned for this and T103761.

Krenair mentioned this in T103761: Ex:SemanticForms - Stored XSS in CreateForm + hostile template.Aug 31 2015, 1:06 AM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL