Reported by Chris Davis
This vulnerability could be used to hijack the account of anyone who views an image on an instance of mediawiki, or deliver a flood of spam anonymously.
A live demo exists over on RationalWiki, though I'd like to take it down soon so if you can confirm as soon as possible I'd be grateful:
The SVG exists at: http://rationalwiki.org/w/images/0/03/Silly_mediawiki.svg
Which imports a stylesheet: http://rationalwiki.org/wiki/User:Jeeves/test.xsl
There's probably an element of browser compatibility because it relies on the browser sensibly parsing XSL. I tested on Chrome & Firefox on Windows.
The live example simply executes a little XMLHTTTPRequest that queries the API for the currently logged in user and alerts the user with the struct passed back. Obviously you could craft a more malicious and less obtrusive payload.
The technical details are:
- An XSL document is crafted to assemble an SVG which will include an executable payload, such as a script tag.
- The XSL document is written to page on the wiki.
- An XML document that looks minimally like an SVG file is crafted to fool the input validation. This XML document imports the XSL as a stylesheet.
- The XML document is uploaded to the image as an SVG file.
Just view souce on the working example for more details.
Please confirm soonest.