Page MenuHomePhabricator

XSS in central notice due to lack of escaping in LoadBanner error handling
Closed, ResolvedPublic4 Estimated Story Points



Basically if set a campaign that exists but is expired, then the banner parameter is reflected back without escaping.

Making this a subtask of T171987 since its more serious than the stuff on that bug, as you can do this without being an admin.

Event Timeline

Bawolff triaged this task as High priority.Sep 14 2017, 9:48 AM
Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.
Bawolff added a project: Patch-For-Review.

Proposed patch:

[21:57]	bawolff	!log deployed patch T175900

We should probably release/publisize this at the same time as related T171987

Great, thanks so much! Quite a terrifying vulnerability... Patch looks great, locally smoke tested and verified that it blocks the attack :)

Introduced in eca170c5919dd78b5be281218460e671c066067d

Fix should be backported to REL1_29 and REL1_30

OK, same patch works for all versions, no backporting needed.

Ejegg changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 12 2018, 10:15 PM
DStrine set the point value for this task to 4.Jun 4 2019, 3:55 AM