Page MenuHomePhabricator

Alert group Cross site scripting (content-sniffing)
Closed, InvalidPublic


Alert group Cross site scripting (content-sniffing)
Severity Medium
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious
code (usually in the form of Javascript) to another user. Because a browser cannot know if the script
should be trusted or not, it will execute the script in the user context allowing the attacker to access any
cookies or session tokens retained by the browser.
Recommendations Your script should filter metacharacters from user input.
Alert variants
This type of XSS can only be triggered on (and affects) content sniffing browsers.
URL encoded GET input formatversion was set to 2'"()&%<acx><ScRiPt >BL79(9702)</ScRiPt>
GET /w/api.php?action=opensearch&format=json&formatversion=2'"()%26%25<acx><ScRiPt%20>BL79(9702)
</ScRiPt>&limit=10&namespace=0&search=the&suggest=true HTTP/1.1
Connection: keep-alive
Cookie: vector-nav-p-HTML_.D9.88_CSS=true;vector-navp-.D8.AC.D8.A7.D9.88.D8.A7_.D8.A7.D8.B3.DA.A9.D8.B1.DB.8C.D9.BE.D8.AA=false;vector-nav-pServer_Side=false;vector-nav-p-Programming=false;vector-nav-ptb=false;wikicod_coddb_wikicod__session=rqe73jqgdkt7g5f4svo838m7lv53h58t;mf_useformat=true;stopM
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21


Event Timeline

sbassett closed this task as Invalid.EditedNov 12 2019, 4:02 PM
sbassett triaged this task as Lowest priority.
sbassett moved this task from Backlog / Other to Done on the acl*security board.
sbassett added a subscriber: sbassett.

The <ScRiPt%20>BL79(9647)</ScRiPt> XSS payload referenced within the output of the automated security scan above is returned as part of a JSON response from the MediaWiki action API with a content-type of application/json. No modern web browsers should be rendering this content as HTML where such a naive XSS payload would be executed. Additionally, the output appears to be properly sanitized when the action API results are returned as HTML (format=html). Resolving as invalid.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 12 2019, 4:02 PM