Backslash-escaped comments allow CSS injection vulnerability
Closed, ResolvedPublic

Description

Wikipedia user Suffusion of Yellow discovered a CSS injection vulnerability, which occurs when CSS comments /* ... */ are escaped with backslashes: \2f\2a ... \2a\2f. The bug is due to an error in the CSS escape sequence normalisation code which we introduced to fix bug 23687.

As with any CSS injection vulnerability, the impact is complete account compromise (XSS) for Internet Explorer users, and possible privacy loss due to arbitrary remote image embedding for users of other browsers.


Version: 1.16.x
Severity: normal

bzimport added a project: MediaWiki-Parser.Via ConduitNov 21 2014, 11:35 PM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz28450.
tstarling created this task.Via LegacyApr 7 2011, 4:33 AM
Platonides added a comment.Via ConduitApr 12 2011, 9:34 PM

Was fixed in r85856

hashar added a comment.Via ConduitOct 24 2011, 8:40 AM

Basic test added with r100584

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment