Author: abarth-wikimedia
Description:
The XSS vulnerability is a follows:
- A malicious user uploads an specially crafted image to Mediawiki.
- The detectScript function in SpecialUpload.php incorrectly determines that the file is safe for upload.
- The user visits a malicious web site in Internet Explorer 6 or Internet Explorer 7.
- The web site navigates the user directly to the image URL.
- The browser sniffs the contents of the image as HTML and executes the JavaScript in the image in Wikipedia's security origin.
I can post an example image to this bug if you like, but I wasn't sure if you wanted me to upload a working proof-of-concept exploit to the bugtracker.
The issue is that the detectScript function only checks for a subset of the byte sequences that cause Internet Explorer's to sniff HTML. We are working to create a complete list of these byte sequences and will inform you when we have done so.
Also troubling is the portion of the function following the comment "look for javascript." This code misses any number of places JavaScript might occur in an HTML document. Hopefully this code will not be needed once we make the first part of this function comprehensive.
Version: 1.14.x
Severity: normal