Page MenuHomePhabricator

User name Special:BlockIP is not HTML escaped
Closed, ResolvedPublic


Author: Amalthea.wikimedia

Specifically, in the div#mw-ipb-conveniencelinks the name of the contributions link is not escaped.

SpecialBlockip.php, function getContribsLink

See also related Bug 19517.

Version: unspecified
Severity: critical



Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 10:41 PM
bzimport set Reference to bz19693.
bzimport added a subscriber: Unknown Object (MLST).

river wrote:

please don't report critical security issues in the public bug tracker; the email address security [at] exists for that purpose.

Amalthea.wikimedia wrote:

Alright, next time, but this is nowhere near critical. User names are pretty heavily restricted anyways, and to the best of my knowledge, the only possible exploit of this one would be to provoke display inconsistencies, since browsers display a "&lt" as a "<". You can't have plain angle brackets in your user name.

User names are restricted, this is correct, but the link to Special:Contribution doesnt check for that, so you could link to Special:Block?ip=<script>...</script> (or anything else) and it was passed raw to the user.

Amalthea.wikimedia wrote:

Yowsa, ok, I just didn't realize the severity then, I didn't look into it that deeply.