Page MenuHomePhabricator

A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS
Closed, ResolvedPublic

Description

@Skizzerz noticed that the "Load multiple files" variant of this popular site JS snippet: https://www.mediawiki.org/wiki/Snippets/Load_JS_and_CSS_by_URL didn't validate the 'use' parameter and allowed for XSS attacks with an URL like http://example.com/wiki/Foo?use=MediaWiki:Whatever%26title%3DUser%3AEvil%2Fevil.js (assuming you have registered an account as user 'Evil' and created the page 'User:Evil/evil.js'). The snippet is fixed now: https://www.mediawiki.org/w/index.php?title=Snippets/Load_JS_and_CSS_by_URL&diff=2463924&oldid=2447017 but who knows where it was copied.

Note, the normal variant is not vulnerable (although it is heart-attack-inducing). From a quick glance, our major sites (Wikipedia, Commons, Meta) use the safe normal variant in their MediaWiki:Common.js pages, but we should mwgrep or something to check them all. And maybe we should put out a notice somewhere for third parties?

Event Timeline

matmarex created this task.May 8 2017, 9:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2017, 9:29 PM
dpatrick triaged this task as High priority.May 11 2017, 5:49 PM
dpatrick assigned this task to Bawolff.
dpatrick added a project: Vuln-XSS.
Bawolff closed this task as Resolved.May 16 2017, 10:40 AM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
He7d3r added a subscriber: He7d3r.May 17 2017, 7:38 PM