Page MenuHomePhabricator

A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS
Closed, ResolvedPublic


@Skizzerz noticed that the "Load multiple files" variant of this popular site JS snippet: didn't validate the 'use' parameter and allowed for XSS attacks with an URL like (assuming you have registered an account as user 'Evil' and created the page 'User:Evil/evil.js'). The snippet is fixed now: but who knows where it was copied.

Note, the normal variant is not vulnerable (although it is heart-attack-inducing). From a quick glance, our major sites (Wikipedia, Commons, Meta) use the safe normal variant in their MediaWiki:Common.js pages, but we should mwgrep or something to check them all. And maybe we should put out a notice somewhere for third parties?

Event Timeline

matmarex created this task.May 8 2017, 9:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2017, 9:29 PM
dpatrick triaged this task as High priority.
dpatrick added a project: Vuln-XSS.
Bawolff closed this task as Resolved.May 16 2017, 10:40 AM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
He7d3r added a subscriber: He7d3r.May 17 2017, 7:38 PM