Page MenuHomePhabricator
Create Task
Maniphest T77624

XSS in Extension:Listing 'name' and 'url' parameters
Closed, ResolvedPublic
Actions

Assigned To
csteipp
Authored By
csteipp
Dec 8 2014, 6:09 PM
Tags
Referenced Files
F20212: t77624b.patch
Dec 9 2014, 5:35 PM
F20119: t77624b.patch
Dec 8 2014, 11:52 PM
F19980: t77624.patch
Dec 8 2014, 6:45 PM
Subscribers
Aklapper
csteipp
Mglaser

Description

I was re-reviewing some parser functions, and found that the Listing extension allows arbitrary urls, including "javascript:", etc.

E.g.,
<buy name="asdf" url="javascript:alert(1)" >anything</buy>

And the name parameter is vulnerable to reflected/stored xss:

<buy name="&lt;scriupt&gt;alert(2)&lt;/script&gt;">anything</buy>

Details

SubjectRepoBranchLines +/-
SECURITY: validate URL added to listingsmediawiki/extensions/Listingsmaster+10 -4
SECURITY: validate URL added to listingsmediawiki/extensions/ListingsREL1_22+10 -4
SECURITY: validate URL added to listingsmediawiki/extensions/ListingsREL1_23+10 -4
SECURITY: validate URL added to listingsmediawiki/extensions/ListingsREL1_24+10 -4
SECURITY: validate URL added to listingsmediawiki/extensions/Listingsmaster+10 -4
SECURITY: validate URL added to listingsmediawiki/extensions/Listingsmaster+10 -4
SECURITY: validate URL added to listingsmediawiki/extensions/Listingsmaster+10 -4
Customize query in gerrit

Related Objects

Event Timeline

csteipp created this task.Dec 8 2014, 6:09 PM
csteipp claimed this task.
csteipp raised the priority of this task from to High.
csteipp updated the task description. (Show Details)
csteipp added projects: acl*security, MediaWiki-Core-Team.
csteipp changed Security from none to Software security bug.
csteipp subscribed.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 8 2014, 6:09 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
csteipp added a comment.Dec 8 2014, 6:45 PM

t77624.patch1 KBDownload

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 6:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp moved this task from Backlog to Needs Review/Feedback on the MediaWiki-Core-Team board.Dec 8 2014, 6:45 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 6:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie subscribed.Dec 8 2014, 10:36 PM

Patch seems to work for the 'url' parameter. But the 'name' field allows HTML injection too:

<buy name="&lt;script&gt;alert(2)&lt;/script&gt;" >anything</buy>

The others look safe enough, unless you can do something malicious with a url prepended with "mailto:".

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 10:36 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a comment.Dec 8 2014, 11:52 PM

Thanks Brad!

t77624b.patch1 KBDownload

The others look safe enough, unless you can do something malicious with a url prepended with "mailto:".

I think that one is ok

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 11:52 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Dec 9 2014, 2:52 PM

Looks good to me, +1. Although you might want to mention the 'name' thing in the commit message too.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 9 2014, 2:52 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp renamed this task from Arbitrary url in Ex:Listing can be used for xss to XSS in Extension:Listing 'name' and 'url' parameters.Dec 9 2014, 5:14 PM
csteipp updated the task description. (Show Details)
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 9 2014, 5:14 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a subscriber: Mglaser.Dec 9 2014, 5:35 PM

Deployed

t77624b.patch1 KBDownload
(with updated commit message).

@Mglaser, this can be released.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 9 2014, 5:35 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp moved this task from Needs Review/Feedback to Done on the MediaWiki-Core-Team board.Dec 15 2014, 10:13 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 15 2014, 10:13 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp moved this task from Done to Needs Review/Feedback on the MediaWiki-Core-Team board.Dec 15 2014, 10:16 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 15 2014, 10:16 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rELSGb0b82dda5cff: SECURITY: validate URL added to listings.Dec 17 2014, 9:01 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:01 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rELSGc45cde4f6140: SECURITY: validate URL added to listings.Dec 17 2014, 9:01 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:01 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rELSGdad8f0f036a5: SECURITY: validate URL added to listings.Dec 17 2014, 9:02 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:02 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rELSG1d83e3e27aca: SECURITY: validate URL added to listings.Dec 17 2014, 9:02 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:02 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie closed this task as Resolved.Dec 17 2014, 10:19 PM
Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".
Anomie changed the edit policy from "Custom Policy" to "All Users".
Anomie changed Security from Software security bug to None.
bd808 moved this task from Needs Review/Feedback to Done on the MediaWiki-Core-Team board.Dec 17 2014, 11:02 PM
bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Dec 22 2014, 10:38 PM
csteipp mentioned this in rMEXT2a67e9e3b2a6: Updated mediawiki/extensions Project: mediawiki/extensions/Listings….Mar 11 2015, 6:22 AM
csteipp mentioned this in rMEXTed69a0f4a05a: Updated mediawiki/extensions Project: mediawiki/extensions/Listings….Mar 11 2015, 6:29 AM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL