Page MenuHomePhabricator
Create Task
Maniphest T49127

Dom xss in redirectedFromArticle script
Closed, ResolvedPublic
Actions

Description

Reflected dom xss on sites using the redirectedFromArticle script.

Visit a url like:
Wikipédia:Redirect_vers_Wikibooks?debug=true#<t0>.23<t1>.23<img%20src=food%20onerror="alert(1)"/>

Seems to be in Common.js on:
frp.wikipedia.org
frp.wikipedia.org
frp.wikipedia.org
frp.wikipedia.org
oc.wikipedia.org
oc.wikipedia.org
oc.wikipedia.org
oc.wikipedia.org
wo.wikipedia.org
wo.wikipedia.org
wo.wikipedia.org
wo.wikipedia.org

Version: unspecified
Severity: normal

Details

Reference
bz47127

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 1:29 AM
bzimport added a project: Security-Other.
bzimport set Reference to bz47127.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 1:29 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript
csteipp created this task.Apr 11 2013, 4:03 PM
csteipp added a comment.Mar 12 2014, 10:23 PM

The javascript that was triggering this broke because var span = document.getElementById('redirected_from'); doesn't find anything on the page, otherwise,

https://frp.wikipedia.org/wiki/Vouiquip%C3%A8dia:Redir%C3%A8ccion_vers_Vouiquil%C3%A9vros?debug=true#<t0>.23<t1>.23<img%20src=food%20onerror="alert(1)"/>

and

https://oc.wikipedia.org/wiki/Wikip%C3%A8dia:Redirect_cap_a_Wikilibres'?debug=true#<t0>.23<t1>.23<img%20src=food%20onerror="alert(1)"/>

and

https://wo.wikipedia.org/wiki/Wikip%C3%A9dia:Redirect_vers_Wikibooks?debug=true#<t0>.23<t1>.23<img%20src=food%20onerror="alert(1)"/>

would trigger.

Needs to get fixed, but not active so we'll get to it someday.

csteipp added a project: acl*security.Nov 24 2014, 9:28 PM
Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:28 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
dpatrick added a project: Vuln-XSS.Jun 30 2015, 9:17 PM
demon unsubscribed.Aug 19 2015, 5:22 PM
Krinkle subscribed.May 25 2016, 10:18 PM

The code is no longer present on any wikis.

frp.wikipedia.org already didn't have it (was removed by a local admin in June last year).
orc.wikipedia.org and wo.wikipedia.org still had it, I removed it just now (diff 1, diff 2).

I also verified through mwgrep that code like it hasn't been introduced on any of the other 895 wikis, either ("redirected_from", "redirectedFromArticleDatas", etc.)

Krinkle closed this task as Resolved.May 25 2016, 10:18 PM
Krinkle claimed this task.
matmarex changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 3 2017, 10:24 AM
matmarex changed the edit policy from "Custom Policy" to "All Users".
Nemo_bis subscribed.Jun 4 2017, 2:20 PM

There is doRedirect() on https://or.wiktionary.org/wiki/MediaWiki:Common.js which passes var wiktDYMfrom = decodeURIComponent(location.href.replace(/^(.+[&\?]rdfrom=([^&]+).*|.*)?$/,"$2")); to mw.util.getUrl. Could be removed since T5339 is fixed, maybe.

chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL