Page MenuHomePhabricator
Create Task
Maniphest T305764

PetScan XSS vulnerability
Closed, ResolvedPublicSecurity
Actions

Description

Entering "/><img src="x"onerror="alert('XSS')"/> into the "Categories" (and various other) field at https://petscan.wmflabs.org/ results in the code being executed. This can further be propagated by hiding it behind a PSID such as this: https://petscan.wmflabs.org/?psid=21847456. Interestingly, all instances of "<script" appear to be replaced, but that is not enough to prevent the vulnerability.

I had emailed Magnus about this back in January, with no response and nothing being fixed, so I have been told to report to Phabricator.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

1234qwer1234qwer4 created this task.Apr 8 2022, 11:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2022, 11:35 PM
1234qwer1234qwer4 mentioned this in T305765: commonshelper XSS vulnerability.Apr 8 2022, 11:36 PM
1234qwer1234qwer4 mentioned this in T305767: file-siblings XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305768: magnustools: wiki2playlist XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305769: magnustools: unused_files XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305770: magnustools: randomarticle XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305771: dnbtools: map2wp XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305772: catfood XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305773: catnap XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305774: wikidata-todo: dupe_finder XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305775: usualsuspects XSS vulnerability.
1234qwer1234qwer4 mentioned this in T305776: GLAMorous XSS vulnerability.
bd808 added a project: Tools.Apr 9 2022, 12:44 AM
bd808 removed a subscriber: Toolforge.
Reedy edited projects, added Vuln-XSS, SecTeam-Processed; removed Security-Team.Apr 9 2022, 11:58 AM
Magnus closed this task as Resolved.May 19 2022, 12:30 PM
Magnus claimed this task.

Fixed

sbassett triaged this task as Low priority.May 19 2022, 3:02 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL