Author: ayg
Description:
Originally sent to security@wikimedia.org on September 18, 2009. I never got a response, except a bounce message saying tim@wikimedia.org didn't exist. Nikerabbit was the one who originally pointed it out to me, because it affected translatewiki.net (which has since worked around it). I haven't tested if it still happens in recent trunk, but I'm not aware of any changes that should make it not happen.
Original report text:
$wgServer is set from the request's domain in most cases. This is a problem because that domain can be injected into content which is then cached. For instance, this page:
http://translatewiki.net/w/i.php?title=Special:RecentChanges&feed=rss
At the time I'm reading it, all the RSS links point to "evil2.aryeh.name" instead of translatewiki.net. To achieve this, I just set evil2.aryeh.name to be a CNAME for translatewiki.net, then browsed to the RSS feed. Now, hypothetically, anyone viewing that RSS feed on translatewiki.net will get directed to my domain. I could harvest IP addresses; switch the domain to point to a site containing script intended to infect vulnerable browsers; or lure users into logging in on my domain, stealing their passwords.
The primary mitigation is that most server setups aren't affected. Shared hosts rely on virtual hosting, so the spoofing won't work. Only wikis that can be reached by dedicated IP addresses are affected, and only if they don't have some kind of redirect in place for unrecognized domains (like wikia.com does) and don't give an error on unrecognized domains (like Wikimedia sites do). translatewiki.net is affected, and wikileaks.org also looks vulnerable. Probably so are a lot of other mid-sized wikis.
I don't see an obvious easy fix to this, but maybe I'm not thinking hard enough.
This was pointed out to me by Nikerabbit, who asked me to file this report. I mentioned it to TIm privately on IRC, but all he said was "interesting".
Version: unspecified
Severity: minor