Page MenuHomePhabricator

XSS in Extension:Listing 'name' and 'url' parameters
Closed, ResolvedPublic

Description

I was re-reviewing some parser functions, and found that the Listing extension allows arbitrary urls, including "javascript:", etc.

E.g.,
<buy name="asdf" url="javascript:alert(1)" >anything</buy>

And the name parameter is vulnerable to reflected/stored xss:

<buy name="&lt;scriupt&gt;alert(2)&lt;/script&gt;">anything</buy>

Details

Related Gerrit Patches:
mediawiki/extensions/Listings : masterSECURITY: validate URL added to listings
mediawiki/extensions/Listings : REL1_22SECURITY: validate URL added to listings
mediawiki/extensions/Listings : REL1_23SECURITY: validate URL added to listings
mediawiki/extensions/Listings : REL1_24SECURITY: validate URL added to listings
mediawiki/extensions/Listings : masterSECURITY: validate URL added to listings
mediawiki/extensions/Listings : masterSECURITY: validate URL added to listings
mediawiki/extensions/Listings : masterSECURITY: validate URL added to listings

Event Timeline

csteipp created this task.Dec 8 2014, 6:09 PM
csteipp claimed this task.
csteipp raised the priority of this task from to High.
csteipp updated the task description. (Show Details)
csteipp changed Security from none to Software security bug.
csteipp added a subscriber: csteipp.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 8 2014, 6:09 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 6:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 6:45 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a subscriber: Anomie.Dec 8 2014, 10:36 PM

Patch seems to work for the 'url' parameter. But the 'name' field allows HTML injection too:

<buy name="&lt;script&gt;alert(2)&lt;/script&gt;" >anything</buy>

The others look safe enough, unless you can do something malicious with a url prepended with "mailto:".

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 10:36 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Thanks Brad!

The others look safe enough, unless you can do something malicious with a url prepended with "mailto:".

I think that one is ok

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 11:52 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a comment.Dec 9 2014, 2:52 PM

Looks good to me, +1. Although you might want to mention the 'name' thing in the commit message too.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 9 2014, 2:52 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp renamed this task from Arbitrary url in Ex:Listing can be used for xss to XSS in Extension:Listing 'name' and 'url' parameters.Dec 9 2014, 5:14 PM
csteipp updated the task description. (Show Details)
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 9 2014, 5:14 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a subscriber: Mglaser.Dec 9 2014, 5:35 PM

Deployed

(with updated commit message).

@Mglaser, this can be released.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 9 2014, 5:35 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 15 2014, 10:13 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 15 2014, 10:16 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:01 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:01 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:02 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:02 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie closed this task as Resolved.Dec 17 2014, 10:19 PM
Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".
Anomie changed the edit policy from "Custom Policy" to "All Users".
Anomie changed Security from Software security bug to None.
bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Dec 22 2014, 10:38 PM