User name Special:BlockIP is not HTML escaped
Closed, ResolvedPublic

Assigned To
Unbreak Now!
IAlex, wikibugs-l

Author: Amalthea.wikimedia

Specifically, in the div#mw-ipb-conveniencelinks the name of the contributions link is not escaped.

SpecialBlockip.php, function getContribsLink

See also related Bug 19517.

Version: unspecified
Severity: critical

bzimport added a project: MediaWiki-Interface.Via ConduitNov 21 2014, 10:41 PM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz19693.
bzimport created this task.Via LegacyJul 13 2009, 9:32 AM
bzimport added a comment.Via ConduitJul 13 2009, 9:40 AM

river wrote:

please don't report critical security issues in the public bug tracker; the email address security [at] exists for that purpose.

IAlex added a comment.Via ConduitJul 13 2009, 9:44 AM

fixed in r53159.

bzimport added a comment.Via ConduitJul 13 2009, 10:24 AM

Amalthea.wikimedia wrote:

Alright, next time, but this is nowhere near critical. User names are pretty heavily restricted anyways, and to the best of my knowledge, the only possible exploit of this one would be to provoke display inconsistencies, since browsers display a "&lt" as a "<". You can't have plain angle brackets in your user name.

IAlex added a comment.Via ConduitJul 13 2009, 7:08 PM

User names are restricted, this is correct, but the link to Special:Contribution doesnt check for that, so you could link to Special:Block?ip=<script>...</script> (or anything else) and it was passed raw to the user.

bzimport added a comment.Via ConduitJul 13 2009, 8:50 PM

Amalthea.wikimedia wrote:

Yowsa, ok, I just didn't realize the severity then, I didn't look into it that deeply.

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.