Page MenuHomePhabricator

XSS in GeSHi/contrib/cssgen.php
Closed, ResolvedPublic

Description

Another issue reported by DAU Huy Ngoc.

This was already fixed by https://gerrit.wikimedia.org/r/#/c/224826/ (T101608), but we should call out in the release that there was a security impact of that fix.


Hello,

I found another XSS in the geshi plugin included in mediawiki 1.25.1.

The POC is as follows:
/extensions/SyntaxHighlight_GeSHi/geshi/contrib/cssgen.php?step=3&keywords-1=%3Cscript%3Ealert%281%29%3C/script%3E

Note that WMF sites are not affected. I believe 1.26 and 1.24 branches don't use the same version of geshi.

However, if you are gonna release 1.25.2 (as you mentioned earlier). There's a big chance that it will include the vulnerable plugin.

Regards

Event Timeline

csteipp created this task.Aug 6 2015, 4:41 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Ngocdh.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2015, 4:41 PM
csteipp closed this task as Resolved.Aug 6 2015, 4:41 PM
csteipp claimed this task.
csteipp added a parent task: Restricted Task.

Fixed in REL1_25 already.

geshi/contrib was reintroduced by c9186790222666c767ee8ec2a12c28e62f8e82dc, which was merged Nov 7, 2014, but looks like it didn't make the branch cut for REL1_24.

And actually, https://gerrit.wikimedia.org/r/#/c/224826/ hasn't been merged. @MaxSem, @Reedy, either of you able to get jenkins to merge it?

csteipp reopened this task as Open.Aug 6 2015, 5:01 PM
MaxSem closed this task as Resolved.Aug 6 2015, 6:01 PM

Merged with Lego's help.

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:59 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

CVE-2015-6734 was assigned for this, and CVE-2015-6733 for potential DoS issues in those scripts.

Thanks for the credit