Page MenuHomePhabricator

aidilarf28 (Aidil Arief)
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Oct 16 2021, 10:55 AM (130 w, 3 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
Aidil281200 [ Global Accounts ]

Recent Activity

Jan 5 2023

aidilarf28 renamed T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser from XSS STORED at https://upload.wikimedia.org/ which escapes the Javascript Protocol in a PDF to There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.
Jan 5 2023, 4:01 PM · Upstream, SecTeam-Processed, Security
aidilarf28 added a comment to T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.

I tried this on my test domain, and sure enough the impact of this behavior is very small for now.

Jan 5 2023, 3:55 PM · Upstream, SecTeam-Processed, Security

Dec 28 2022

aidilarf28 added a comment to T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.

You can see in the File below, where the XSS is triggered in the PDF View https://upload.wikimedia.org/ :
https://commons.wikimedia.org/wiki/File:Xss2141241.pdf

Dec 28 2022, 4:07 AM · Upstream, SecTeam-Processed, Security

Dec 26 2022

aidilarf28 added a comment to T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.

I tried this on Dropbox and Google Drive. They seem to be aware of this problem, so when I pass a PDF file that is injected with the javascript protocol payload, then the responds get the javascript cleaned up in Google Drive and in Dropbox the protocol javascript is escaped with the HTTPS prefix. And that's what makes this behavior less vulnerable due to inspection of PDF files.

Dec 26 2022, 5:09 PM · Upstream, SecTeam-Processed, Security
aidilarf28 added a comment to T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.

I tried on the beta site and this is the result:

  1. https://commons.wikimedia.beta.wmflabs.org/

In BETA, it looks like there is validation on the PDF file, so it doesn't pass.

Dec 26 2022, 3:16 PM · Upstream, SecTeam-Processed, Security
aidilarf28 added a comment to T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.

I don't think this has any effect on my browser executing arbitrary scripts.
I noticed no protection against javascript protocol escaping in checking the contents of file metadata. So that it will pass the javascript protocol in the PDF File.
I believe almost all users use PDF View in their Chrome and Edge Browsers. So that it can trigger XSS on multiple users side.

Dec 26 2022, 2:12 PM · Upstream, SecTeam-Processed, Security
aidilarf28 added a comment to T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.

Can you give me the location of the Commons Upload on Wikipedia BETA?

Dec 26 2022, 12:48 PM · Upstream, SecTeam-Processed, Security
aidilarf28 updated the task description for T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.
Dec 26 2022, 9:15 AM · Upstream, SecTeam-Processed, Security
aidilarf28 renamed T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser from XSS at https://upload.wikimedia.org/ which escapes the Javascript Protocol in a PDF to XSS STORED at https://upload.wikimedia.org/ which escapes the Javascript Protocol in a PDF.
Dec 26 2022, 9:13 AM · Upstream, SecTeam-Processed, Security
aidilarf28 created T325935: There is no check of PDF file escaping and possibility of creating XSS Pop Up from View PDF Browser.
Dec 26 2022, 9:13 AM · Upstream, SecTeam-Processed, Security

Dec 13 2021

aidilarf28 added a comment to T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL.

Can the URL of this report be disclosed, sir?

Dec 13 2021, 3:27 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team

Oct 19 2021

aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

Oh I see, I understand now.

Oct 19 2021, 3:07 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

I don't understand the reason why it went low sir :(

Oct 19 2021, 2:59 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

Why is XSS STORED risk rating Low?

Oct 19 2021, 12:44 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

Thanks for fixing this issue so fast, it's great :)

Oct 19 2021, 12:38 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

After I double checked, it seems this behavior has been fixed.

Oct 19 2021, 2:11 AM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
aidilarf28 added a comment to T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL.

After I double checked, it seems this behavior has been fixed.

Oct 19 2021, 2:11 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team

Oct 18 2021

aidilarf28 added a comment to T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL.

Thanks for responds :)

Oct 18 2021, 7:57 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team
aidilarf28 created T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL.
Oct 18 2021, 2:29 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team

Oct 16 2021

aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

I think this is just an additional step towards the behavioral findings in this report.

Oct 16 2021, 5:05 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
aidilarf28 added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

Thanks for adding me here :)

Oct 16 2021, 4:25 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team