Page MenuHomePhabricator
Create Task
Maniphest T281196

Stored XSS in SportsTeams' Special:SportsTeamsManager & Special:UpdateFavoriteTeams (CVE-2021-36131)
Closed, ResolvedPublicSecurity
Actions

Description

Conceptually similar to T281043, just in a different extension.

Details

SubjectRepoBranchLines +/-
[SECURITY] Fix stored XSS in Special:SportsTeamsManager & Special:UpdateFavoriteTeams + add phan & seccheck & make 'em passmediawiki/extensions/SportsTeamsmaster+212 -161
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Apr 26 2021, 10:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 26 2021, 10:07 PM
ashley claimed this task.Apr 26 2021, 10:08 PM
ashley added a project: Social-Tools.

SportsTeams-XSS.patch12 KBDownload

Quickie patch which fixes this issue and swaps escaping stuff around and whatnot in order to reduce general reviewer anxiety with this super old codebase.

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Apr 27 2021, 12:47 AM
Legoktm subscribed.Apr 27 2021, 1:01 AM

Same as the other patch, in SportsTeamsManager there's:

					<input type="hidden" name="id" value="' . $id . '" />

and I couldn't see where $id was coming from. Otherwise looked fine.

ashley moved this task from Backlog to SportsTeams on the Social-Tools board.Apr 27 2021, 5:12 PM
sbassett mentioned this in T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).Apr 27 2021, 6:05 PM
Legoktm closed this task as Resolved.May 16 2021, 8:36 PM
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Legoktm changed the edit policy from "Custom Policy" to "All Users".
sbassett renamed this task from Stored XSS in SportsTeams' Special:SportsTeamsManager & Special:UpdateFavoriteTeams to Stored XSS in SportsTeams' Special:SportsTeamsManager & Special:UpdateFavoriteTeams (CVE-2021-36131).Jul 2 2021, 7:50 PM
ashley added a project: SportsTeams.Sep 5 2023, 11:46 AM
ashley updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL