XSS in Parser::replaceInternalLinks2 during replacement of percent encoding in unclosed internal links
Closed, ResolvedPublic

Description

Put

[[#%3Cscript%3Ealert(1)%3C/script%3E|

On a line by itself, and you get an XSS.

It appears that this was fixed in the main code branch in r13302 by @GWicke, but the e1_img code patch was missed. The e1_img code path was added in r5693, so this issue basically effects all versions of MW ever.

@Legoktm helped discover this vulnrability

Bawolff created this task.Jun 8 2016, 2:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 8 2016, 2:22 AM

For reference:

dpatrick triaged this task as "High" priority.

This has been tested and is ready for deployment.

dpatrick closed this task as "Resolved".Jun 15 2016, 9:18 PM
dpatrick claimed this task.

This patch has been deployed:

21:16 dapatrick: Deployed patch for T137264 to wmf.5 and wmf.6

@Legoktm @Bawolff @dpatrick: Thanks for catching & addressing this one!

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:23 AM
demon changed Security from Software security bug to None.

Change 306129 had a related patch set uploaded (by Ejegg):
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306129

Change 306129 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306129

Change 306120 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306120

Change 306111 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306111

Change 306092 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306092

Change 306101 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306101