Page MenuHomePhabricator
Create Task
Maniphest T108198

XSS in GeSHi/contrib/cssgen.php
Closed, ResolvedPublic
Actions

Description

Another issue reported by DAU Huy Ngoc.

This was already fixed by https://gerrit.wikimedia.org/r/#/c/224826/ (T101608), but we should call out in the release that there was a security impact of that fix.

Hello,

I found another XSS in the geshi plugin included in mediawiki 1.25.1.

The POC is as follows:
/extensions/SyntaxHighlight_GeSHi/geshi/contrib/cssgen.php?step=3&keywords-1=%3Cscript%3Ealert%281%29%3C/script%3E

Note that WMF sites are not affected. I believe 1.26 and 1.24 branches don't use the same version of geshi.

However, if you are gonna release 1.25.2 (as you mentioned earlier). There's a big chance that it will include the vulnerable plugin.

Regards

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 Resolved csteippT108198 XSS in GeSHi/contrib/cssgen.php

Event Timeline

csteipp created this task.Aug 6 2015, 4:41 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Ngocdh.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2015, 4:41 PM
csteipp closed this task as Resolved.Aug 6 2015, 4:41 PM
csteipp claimed this task.
csteipp added a parent task: Restricted Task.

Fixed in REL1_25 already.

csteipp added a project: Vuln-XSS.Aug 6 2015, 4:42 PM
csteipp added subscribers: MaxSem, Reedy.Aug 6 2015, 5:01 PM

geshi/contrib was reintroduced by c9186790222666c767ee8ec2a12c28e62f8e82dc, which was merged Nov 7, 2014, but looks like it didn't make the branch cut for REL1_24.

And actually, https://gerrit.wikimedia.org/r/#/c/224826/ hasn't been merged. @MaxSem, @Reedy, either of you able to get jenkins to merge it?

csteipp reopened this task as Open.Aug 6 2015, 5:01 PM
MaxSem closed this task as Resolved.Aug 6 2015, 6:01 PM

Merged with Lego's help.

csteipp added subscribers: Grunny, ProgramCeltic.Aug 7 2015, 6:31 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:59 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
csteipp added a project: Security-Extensions.Aug 20 2015, 9:33 PM
Krenair subscribed.Aug 31 2015, 1:11 AM

CVE-2015-6734 was assigned for this, and CVE-2015-6733 for potential DoS issues in those scripts.

Ngocdh added a comment.Aug 31 2015, 6:23 PM

Thanks for the credit

chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits