User name Special:BlockIP is not HTML escaped
Closed, ResolvedPublic

Description

Author: Amalthea.wikimedia

Description:
Specifically, in the div#mw-ipb-conveniencelinks the name of the contributions link is not escaped.

SpecialBlockip.php, function getContribsLink

See also related Bug 19517.


Version: unspecified
Severity: critical
URL: http://en.wikipedia.org/wiki/Special:Block/Amalthea%27%22%26lt

bzimport added a project: MediaWiki-Interface.Via ConduitNov 21 2014, 10:41 PM
bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz19693.
bzimport created this task.Via LegacyJul 13 2009, 9:32 AM
bzimport added a comment.Via ConduitJul 13 2009, 9:40 AM

river wrote:

please don't report critical security issues in the public bug tracker; the email address security [at] wikimedia.org exists for that purpose.

IAlex added a comment.Via ConduitJul 13 2009, 9:44 AM

fixed in r53159.

bzimport added a comment.Via ConduitJul 13 2009, 10:24 AM

Amalthea.wikimedia wrote:

Alright, next time, but this is nowhere near critical. User names are pretty heavily restricted anyways, and to the best of my knowledge, the only possible exploit of this one would be to provoke display inconsistencies, since browsers display a "&lt" as a "<". You can't have plain angle brackets in your user name.

IAlex added a comment.Via ConduitJul 13 2009, 7:08 PM

User names are restricted, this is correct, but the link to Special:Contribution doesnt check for that, so you could link to Special:Block?ip=<script>...</script> (or anything else) and it was passed raw to the user.

bzimport added a comment.Via ConduitJul 13 2009, 8:50 PM

Amalthea.wikimedia wrote:

Yowsa, ok, I just didn't realize the severity then, I didn't look into it that deeply.

Add Comment