User name Special:BlockIP is not HTML escaped
Closed, ResolvedPublic

Description

Author: Amalthea.wikimedia

Description:
Specifically, in the div#mw-ipb-conveniencelinks the name of the contributions link is not escaped.

SpecialBlockip.php, function getContribsLink

See also related Bug 19517.


Version: unspecified
Severity: critical
URL: http://en.wikipedia.org/wiki/Special:Block/Amalthea%27%22%26lt

Details

Reference
bz19693
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz19693.
bzimport created this task.Jul 13 2009, 9:32 AM

river wrote:

please don't report critical security issues in the public bug tracker; the email address security [at] wikimedia.org exists for that purpose.

IAlex added a comment.Jul 13 2009, 9:44 AM

fixed in r53159.

Amalthea.wikimedia wrote:

Alright, next time, but this is nowhere near critical. User names are pretty heavily restricted anyways, and to the best of my knowledge, the only possible exploit of this one would be to provoke display inconsistencies, since browsers display a "&lt" as a "<". You can't have plain angle brackets in your user name.

IAlex added a comment.Jul 13 2009, 7:08 PM

User names are restricted, this is correct, but the link to Special:Contribution doesnt check for that, so you could link to Special:Block?ip=<script>...</script> (or anything else) and it was passed raw to the user.

Amalthea.wikimedia wrote:

Yowsa, ok, I just didn't realize the severity then, I didn't look into it that deeply.

Add Comment