Page MenuHomePhabricator

A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS
Closed, ResolvedPublic


@Skizzerz noticed that the "Load multiple files" variant of this popular site JS snippet: didn't validate the 'use' parameter and allowed for XSS attacks with an URL like (assuming you have registered an account as user 'Evil' and created the page 'User:Evil/evil.js'). The snippet is fixed now: but who knows where it was copied.

Note, the normal variant is not vulnerable (although it is heart-attack-inducing). From a quick glance, our major sites (Wikipedia, Commons, Meta) use the safe normal variant in their MediaWiki:Common.js pages, but we should mwgrep or something to check them all. And maybe we should put out a notice somewhere for third parties?

Event Timeline

dpatrick triaged this task as High priority.
dpatrick added a project: Vuln-XSS.
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".