Page MenuHomePhabricator

Upload Wizard exploitable with evil filenames
Closed, ResolvedPublic

Description

Linux is very permissive with its file names (compared to Windows). I was able to create a file with the following name:
<a onmouseover="alert('XSS')">abc</a>test.png

Then I uploaded this file and when hovering the title, an XSS alert is shown.


Version: unspecified
Severity: normal

Details

Reference
bz51801

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:58 AM
bzimport added a project: UploadWizard.
bzimport set Reference to bz51801.
Rillke created this task.Jul 22 2013, 10:53 AM

(js-client exploitable)

Change 75090 had a related patch set uploaded by Rillke:
Filename: Using text instead of HTML to avoid exploitable

https://gerrit.wikimedia.org/r/75090

Change 75090 merged by jenkins-bot:
Filename: Using text instead of HTML to avoid exploitable

https://gerrit.wikimedia.org/r/75090

Gilles moved this task from Untriaged to Done on the Multimedia board.Dec 4 2014, 9:34 AM