Page MenuHomePhabricator
Create Task
Maniphest T30507

XSS: Incorrect patch for bug 28235
Closed, ResolvedPublic
Actions

Description

Author: masatokinugawa

Description:
bug 28235's patch is still vulnerable.

http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.html?

Version: 1.16.x
Severity: normal
URL: http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.html?

Details

Reference
bz28507

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:25 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz28507.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Apr 12 2011, 7:46 AM
tstarling added a comment.Apr 14 2011, 7:19 AM

Thanks for that, another fix will be released in 1.16.4.

I had Roan Kattouw help me review and test the patch this time, so hopefully we've got it nailed down.

bzimport added a comment.Jul 17 2011, 4:57 AM

EN.WP.ST47 wrote:

No XSS when I click the link, so it works in 1.17-wmfwhatever. Closing fixed by Tim.

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL