XSS in MediaWiki API (through invalid property name) reintroduced in 1.21.1
Closed, ResolvedPublic

Assigned To
None
Priority
High
Author
bzimport
Subscribers
Anomie, Peachey88, Catrope and 3 others
Projects
Reference
bz52746
Description

Author: bugzilla

Description:
It looks like bug #28534 was re-introduced in MediaWiki 1.21.1.
Test URL: http://ossdepot.v-front.de/wiki/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(document.cookie)%3E.shtml (This is a fresh 1.21.1 installation).

This was detected by a security scan via scanmyserver.com and confirmed by their support.


Version: unspecified
Severity: normal
URL: http://ossdepot.v-front.de/wiki/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(document.cookie)%3E.shtml
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=28534

bzimport added a project: MediaWiki-API.Via ConduitNov 22 2014, 2:07 AM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz52746.
bzimport created this task.Via LegacyAug 12 2013, 10:12 AM
Aklapper added a comment.Via ConduitAug 13 2013, 11:51 AM

[Note to Security team: This Bugzilla ticket got filed under "MediaWiki" instead of "Security" product and hence is already known to the public, e.g. via http://article.gmane.org/gmane.org.wikimedia.mediawiki.bugs/359688 . Maybe also because http://www.mediawiki.org/wiki/Security does not mention Bugzilla? :-/ ]

csteipp added a comment.Via ConduitAug 13 2013, 6:39 PM

I'm not sure if this is a regression, since that code hasn't changed much since Tim's patch for 28534. If you change the reported url to alert(1), as the issue was reported in 28524, instead of alert(document.cookie), you correctly get the IE redirect.

I'm not sure if it was intentional in that patch or not, but it seems (to me) that findIE6Extension doesn't correctly detect the extension if there are an even number of . characters in the url, since $pos = $nextPos + 1; will walk past the second . character, and then not detect that there was a . followed by legal characters.

If that wasn't intentional, then changing that to $pos = $nextPos; should fix the issue.

tstarling added a comment.Via ConduitAug 14 2013, 12:19 AM

Created attachment 13095
Patch with unit test

Confirmed XSS on mediawiki.org in IE6. Skipping the character after a dot is definitely unintentional.

Attached: bug-52746.patch

bzimport added a comment.Via ConduitAug 18 2013, 2:06 PM

bugzilla wrote:

Thanks, I applied the patch to my installation, and the scanmyserver.com service does no longer detect this issue.

(In reply to comment #3)

Created attachment 13095 [details]
Patch with unit test

Confirmed XSS on mediawiki.org in IE6. Skipping the character after a dot is
definitely unintentional.

Attached: bug-52746.patch

gerritbot added a comment.Via ConduitSep 3 2013, 10:10 PM

Change 82528 had a related patch set (by Tim Starling) published:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82528

gerritbot added a comment.Via ConduitSep 3 2013, 10:18 PM

Change 82528 merged by jenkins-bot:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82528

gerritbot added a comment.Via ConduitSep 3 2013, 10:34 PM

Change 82536 had a related patch set uploaded by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82536

gerritbot added a comment.Via ConduitSep 3 2013, 10:34 PM

Change 82538 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82538

gerritbot added a comment.Via ConduitSep 3 2013, 10:39 PM

Change 82540 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82540

gerritbot added a comment.Via ConduitSep 3 2013, 10:39 PM

Change 82542 had a related patch set uploaded by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82542

gerritbot added a comment.Via ConduitSep 3 2013, 10:42 PM

Change 82544 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82544

gerritbot added a comment.Via ConduitSep 3 2013, 10:42 PM

Change 82546 had a related patch set uploaded by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82546

gerritbot added a comment.Via ConduitSep 3 2013, 10:54 PM

Change 82536 merged by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82536

gerritbot added a comment.Via ConduitSep 3 2013, 11:16 PM

Change 82540 merged by jenkins-bot:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82540

gerritbot added a comment.Via ConduitSep 3 2013, 11:20 PM

Change 82544 merged by jenkins-bot:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82544

gerritbot added a comment.Via ConduitSep 3 2013, 11:23 PM

Change 82538 merged by jenkins-bot:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82538

gerritbot added a comment.Via ConduitSep 4 2013, 12:32 AM

Change 82546 merged by jenkins-bot:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82546

gerritbot added a comment.Via ConduitSep 4 2013, 3:55 AM

Change 82542 merged by jenkins-bot:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82542

Aklapper added a comment.Via ConduitSep 4 2013, 9:22 AM

[restoring RESOLVED FIXED state which was set before the Gerrit Notification Bot inserted links to the Gerrit patchsets]

csteipp added a comment.Via ConduitSep 5 2013, 5:00 PM

This issue was assigned CVE-2013-4303

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.