Page MenuHomePhabricator

FO-nTTaX
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
Aug 19 2016, 4:36 PM (265 w, 5 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
FO-nTTaX [ Global Accounts ]

Recent Activity

Thu, Sep 16

Restricted Application added a project to T158929: Librarize MediaWiki database layer and drop official support for non-MySQL engines: Performance-Team.
Thu, Sep 16, 2:03 PM · Performance-Team, Librarization, Proposal, Wikimedia-Rdbms

Jul 19 2021

FO-nTTaX updated the task description for T286928: Undefined index 0 exception in ExtArrays.php.
Jul 19 2021, 4:36 PM · MediaWiki-extensions-Arrays
FO-nTTaX updated the task description for T286928: Undefined index 0 exception in ExtArrays.php.
Jul 19 2021, 4:29 PM · MediaWiki-extensions-Arrays
FO-nTTaX updated the task description for T286928: Undefined index 0 exception in ExtArrays.php.
Jul 19 2021, 4:29 PM · MediaWiki-extensions-Arrays
FO-nTTaX updated the task description for T286928: Undefined index 0 exception in ExtArrays.php.
Jul 19 2021, 4:28 PM · MediaWiki-extensions-Arrays
FO-nTTaX created T286928: Undefined index 0 exception in ExtArrays.php.
Jul 19 2021, 4:28 PM · MediaWiki-extensions-Arrays

Jan 26 2021

FO-nTTaX updated the task description for T259433: XSS issue in Extension:PageForms (CVE-2021-31551).
Jan 26 2021, 2:27 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security
FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

I've pulled this onto our wiki and as far as I can see it, it should be fine now. Again thank you for working on this :)

Jan 26 2021, 2:19 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Jan 22 2021

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

No worries, sometimes things take time, and that's ok. Thank you for your work on this :)

Jan 22 2021, 10:59 AM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Sep 21 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

I added a call to error_log() like so

Sep 21 2020, 11:15 AM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Sep 18 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

At least in Firefox I am still seeing it. I've been wondering if I had a cached version of some script, but I've tried this on multiple PCs now

Sep 18 2020, 4:42 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security
FO-nTTaX raised a concern with rEPFM135d26f0b8b2: Make the Datetimepicker and Datepicker use OOUI.

This change has broken compatibility with MediaWiki 1.31

[82208d4b3c9721c73b0185b9] /smash/Special:RunQuery/Match_history OOUI\Exception from line 31 of /path/to/wiki/vendor/oojs/oojs-ui/php/Theme.php: OOUI\Theme::singleton was called with no singleton theme set.
Sep 18 2020, 2:42 PM
FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

I pulled this version, but I can still recreate this with this url https://liquipedia.net/commons/Special:RunQuery/Find_images?pfRunQueryFormName=Find+images&Find+images[person]=%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E&Find+images[event]=&Find+images[date][day]=&Find+images[date][month]=&Find+images[date][year]=&Find+images[description]=&pf_free_text=&wpRunQuery=Run+query# (I use the git version now at 4ac1f9d4371974c823225da7273ddf2ce9b89dfd)

Sep 18 2020, 2:21 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 25 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

The liquipedia.net issue appears related to a fork of ext.pf.select2.tokens.js on their end, as it does not ever appear to be a part of PageForms' git history

Aug 25 2020, 12:43 AM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 21 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

As far as I can see, there is still an issue here, as I can still create URL parameters that are XSS exploitable

Aug 21 2020, 9:00 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 20 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

Hmm yeah I wanted to patch in a full replace there, but forgot that JavaScript does not replace all occurrences without using a regex.

Aug 20 2020, 8:13 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 12 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

This wiki uses MW 1.31.8 and PF 4.9.5, but I can still get an alert from a URL parameter. Maybe I am missing something?

Aug 12 2020, 9:38 AM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 10 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

I'm back, because I realized that your fix works in 1.34, but does not seem to work in 1.31.8.

Aug 10 2020, 7:44 AM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 3 2020

FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

When going to https://sandbox.semantic-mediawiki.org/wiki/Sp%C3%A9cial:RunQuery/Tokens and putting <img/src=="x onerror=alert(1)//"> into the box, the code also gets executed.

Aug 3 2020, 11:31 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security
FO-nTTaX added a comment to T259433: XSS issue in Extension:PageForms (CVE-2021-31551).

Thank you for working on this. The patch you merged seems to fix the issue with passing it in as a url parameter, it seems to leave open the option of self XSS-ing by putting the string into the search box though. I don't know if this is something that is important to fix, but it mightbe nice.

Aug 3 2020, 9:27 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Aug 2 2020

FO-nTTaX created T259433: XSS issue in Extension:PageForms (CVE-2021-31551).
Aug 2 2020, 3:11 PM · Vuln-XSS, MediaWiki-extensions-Page_Forms, Security

Mar 12 2019

FO-nTTaX added a comment to T218090: Extension:FlaggedRevs can't control which revision is used on API action=parse calls..

The reason why I added Core is that there is no way to hook into this behaviour for all I could see in the relevant file, but I trust you to know what kind of tags are relevant.

Mar 12 2019, 2:23 PM · MediaWiki-extensions-FlaggedRevs
FO-nTTaX created T218090: Extension:FlaggedRevs can't control which revision is used on API action=parse calls..
Mar 12 2019, 12:32 PM · MediaWiki-extensions-FlaggedRevs

Jul 1 2018

FO-nTTaX renamed T197694: OutputPage::parseInline seems broken as <div class="mw-parser-output"> is wrapped around the result from tnaaaaaaaa to OutputPage::parseInline seems broken as <div class="mw-parser-output"> is wrapped around the result.
Jul 1 2018, 2:25 PM · MediaWiki-Parser

Jun 19 2018

FO-nTTaX updated the task description for T197694: OutputPage::parseInline seems broken as <div class="mw-parser-output"> is wrapped around the result.
Jun 19 2018, 3:08 PM · MediaWiki-Parser
FO-nTTaX created T197694: OutputPage::parseInline seems broken as <div class="mw-parser-output"> is wrapped around the result.
Jun 19 2018, 2:57 PM · MediaWiki-Parser

Sep 20 2017

FO-nTTaX added a comment to T175760: Possible race condition in gallery javascript code.

Ah thanks so much, I've spent too long looking at this so i guess I missed that T_T

Sep 20 2017, 10:43 AM · MediaWiki-ResourceLoader, Multimedia-Team-Working-Board, MediaWiki-Gallery, Multimedia

Sep 19 2017

FO-nTTaX added a comment to T175760: Possible race condition in gallery javascript code.

Yeah, the fact that it doesn't happen everytime is why i titled it as possible race condition. I don't use an adblocker/scriptblocker myself, so I can only speak about a non-adblocker state.

Sep 19 2017, 7:09 PM · MediaWiki-ResourceLoader, Multimedia-Team-Working-Board, MediaWiki-Gallery, Multimedia

Sep 13 2017

FO-nTTaX added a comment to T175760: Possible race condition in gallery javascript code.

Well, that line that i linked is the one the chrome developer tools gighlight for me as to where $.debounce is not a function.

Sep 13 2017, 11:18 PM · MediaWiki-ResourceLoader, Multimedia-Team-Working-Board, MediaWiki-Gallery, Multimedia

Sep 12 2017

FO-nTTaX updated the task description for T175760: Possible race condition in gallery javascript code.
Sep 12 2017, 10:49 PM · MediaWiki-ResourceLoader, Multimedia-Team-Working-Board, MediaWiki-Gallery, Multimedia
FO-nTTaX created T175760: Possible race condition in gallery javascript code.
Sep 12 2017, 10:49 PM · MediaWiki-ResourceLoader, Multimedia-Team-Working-Board, MediaWiki-Gallery, Multimedia