Page MenuHomePhabricator

Alert group: JSONP enabled by default in MappingJackson2JsonView
Closed, InvalidPublic

Description

/w/api.php
Alert group JSONP enabled by default in MappingJackson2JsonView
Severity High

Description
Spring Framework, versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported
versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding)
through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for
browser requests. Both are not enabled by default in Spring Framework nor Spring Boot.
However when MappingJackson2JsonView is configured in an application, JSONP support is
automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling crossdomain requests.
Users of affected versions should apply the following mitigation:
5.0.x users should upgrade to 5.0.7.
4.3.x users should upgrade to 4.3.18.
Recommendations
Older versions should upgrade to a supported branch, or otherwise set MappingJacksonJsonView's
jsonpParameterNames property to an empty set.
Applications that do require JSONP support will need to explicitly configure the jsonpParameterNames
property of MappingJacksonJsonView following the upgrade. It is recommended that applications
switch to using CORS instead of JSONP to enable cross-domain requests. JSONP support in the
Spring Framework is deprecated as of 5.0.7 and 4.3.18 and will be removed in 5.1.
Alert variants
Details
GET /w/api.php?
action=opensearch&format=json&formatversion=2&limit=10&namespace=0&search=the&suggest=true&callb
ack=qfdedmzhog&jsonp=qfdedmzhog&cb=qfdedmzhog&json=qfdedmzhog HTTP/1.1
Cookie: vector-nav-p-HTML_.D9.88_CSS=true;vector-navp-.D8.AC.D8.A7.D9.88.D8.A7_.D8.A7.D8.B3.DA.A9.D8.B1.DB.8C.D9.BE.D8.AA=false;vector-nav-pServer_Side=false;vector-nav-p-Programming=false;vector-nav-ptb=false;wikicod_coddb_wikicod__session=rqe73jqgdkt7g5f4svo838m7lv53h58t;mf_useformat=true;stopM
obileRedirect=true
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive

Event Timeline

MaxSem changed the visibility from "Custom Policy" to "Public (No Login Required)".

The output of the automated security scan pasted above appears to reference a JSONP-related vulnerability for the Java Spring framework. MediaWiki is written in PHP and does not use Java for any of its core components, so this is a false positive. While we appreciate anybody taking the time to investigate security-related issues within MediaWiki or any other Wikimedia code, filing Phabricator tasks for false positives like this, extremely low-level information disclosure vulnerabilities which are most likely invalid for FLOSS code, issues which have not been thoroughly investigated and provided without explicit steps for reproduction, or where an existing Phabricator task already exists is at best, very unhelpful. Additionally, please find and review our published steps for responsibly reporting security issues.