XSS in MediaWiki API (through invalid property name)
Closed, ResolvedPublic

bzimport set Reference to bz28534.
bzimport created this task.Via LegacyApr 14 2011, 9:51 AM
tstarling added a comment.Via ConduitApr 14 2011, 10:04 AM

Please tell me this is the last one.

MarkAHershberger added a comment.Via ConduitApr 26 2011, 9:27 PM

This has been fixed in 1.16.4, I think. Tim, could you close it, if so?

tstarling added a comment.Via ConduitApr 27 2011, 1:47 PM

No, it's not fixed.

tstarling added a comment.Via ConduitApr 27 2011, 3:15 PM

One possibility is

/\.[^\\/:\*\?\"<>|]+(#|\?|$)/i

This was suggested by Reedy based on the characters that are not allowed in Windows paths. I'm wondering if it's a good idea to allow the percent symbol:

/\.[^\\/:\*\?\"<>|%]+(#|\?|$)/i

This would make it less likely that innocuous plain text at the end of a query string would be disallowed, in URLs such as:

http://www.mediawiki.org/w/api.php?action=parse&text=Sentence%20one.%20Sentence%20two

In theory, file extensions can contain percent symbols, but in practice this doesn't seem to be done.

Catrope added a comment.Via ConduitApr 27 2011, 3:22 PM

(In reply to comment #4)

In theory, file extensions can contain percent symbols, but in practice this
doesn't seem to be done.

Allowing it sounds safe enough. The percent sign being a very obscure character in extensions makes it very unlikely it would be associated with a dangerous MIME type.

Peachey88 added a comment.Via ConduitMay 7 2011, 9:15 AM

marking fixed 1.16.5 was pushed the other day.

brion added a comment.Via ConduitJun 7 2011, 6:13 PM

Fixes are in r85844 and following; there are still serious outstanding bugs in 1.16.x & 1.17 beta releases caused by the fix series.

Latest updates on r89397 and r89558 may help reduce the false positives, but probably needs a quick test survey to confirm that things are ok.

MarkAHershberger added a comment.Via ConduitJun 15 2011, 7:47 PM

It looks like Tim has been doing most of the work on this to fix the problem, updating the assignee to reflect that. Looks like the this is actually fixed, too, since the fixes mentioned Comment #7 have been merged.

I'm sure you know how to reopen this if I'm wrong ;)

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment