Page MenuHomePhabricator

XSS in central notice due to lack of escaping in LoadBanner error handling
Closed, ResolvedPublic4 Estimated Story Points

Description

Example:

https://en.wikipedia.org/w/index.php?title=Prism_International&banner=);alert(%27XSS%20on%20%27%2Bdocument.domain);void%20(&force=1&campaign=uggr%20wle%202017%20awards

Basically if set a campaign that exists but is expired, then the banner parameter is reflected back without escaping.

Making this a subtask of T171987 since its more serious than the stuff on that bug, as you can do this without being an admin.

Event Timeline

Bawolff created this task.Sep 14 2017, 9:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2017, 9:33 AM
Bawolff updated the task description. (Show Details)Sep 14 2017, 9:38 AM
Bawolff added a project: Security-Extensions.
Bawolff triaged this task as High priority.Sep 14 2017, 9:48 AM
Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.
Bawolff added a project: Patch-For-Review.

Proposed patch:

[21:57]	bawolff	!log deployed patch T175900

We should probably release/publisize this at the same time as related T171987

Great, thanks so much! Quite a terrifying vulnerability... Patch looks great, locally smoke tested and verified that it blocks the attack :)

Ejegg added a subscriber: Ejegg.Mar 8 2018, 9:00 PM

Introduced in eca170c5919dd78b5be281218460e671c066067d

Fix should be backported to REL1_29 and REL1_30

Ejegg added a comment.Mar 8 2018, 9:09 PM

OK, same patch works for all versions, no backporting needed.

Ejegg changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 12 2018, 10:15 PM
Ejegg closed this task as Resolved.Mar 14 2018, 9:01 PM
DStrine set the point value for this task to 4.Jun 4 2019, 3:55 AM