Change Details

FINDING ID: iSEC-WMF1214-10 TARGETS: Users custom scripts, such as http://devwiki/w/index.php?title=User:Foo/common.js&action= submit . DESCRIPTION: When editing any user's custom JavaScript, the script is executed whenever the ``Show Preview'' or ``Show Changes'' buttons are clicked. This could allow an attacker to trick another user into executing JavaScript which hijacks their session. Because privileged users can edit the JavaScript of lower privileged users, this could lead to privilege escalation. EXPLOIT SCENARIO: A low-privileged user adds some complex custom JavaScript to their account, with malicious code embedded within that directs people to a fake login screen or performs actions on the victim's behalf. The user complains to an Administrator that they are having difficulty with their custom ``skin'', and asks the Administrator to change a small portion of the script for them. Upon pre- viewing the edit or viewing changes, the malicious code executes in the context of the Administrator's session. SHORT TERM SOLUTION: Do not include another user's custom script when previewing or showing changes. These pages should only allow users to edit and view code. LONG TERM SOLUTION: The custom JavaScript system has several deficiencies. Consider deprecating this functionality and allowing users to customize the site using client-side code instead

FINDING ID: iSEC-WMF1214-10 TARGETS: Users custom scripts, such as http://devwiki/w/index.php?title=User:Foo/common.js&action= submit . DESCRIPTION: When editing any user's custom JavaScript, the script is executed whenever the ``Show Preview'' or ``Show Changes'' buttons are clicked. This could allow an attacker to trick another user into executing JavaScript which hijacks their session. Because privileged users can edit the JavaScript of lower privileged users, this could lead to privilege escalation. EXPLOIT SCENARIO: A low-privileged user adds some complex custom JavaScript to their account, with malicious code embedded within that directs people to a fake login screen or performs actions on the victim's behalf. The user complains to an Administrator that they are having difficulty with their custom ``skin'', and asks the Administrator to change a small portion of the script for them. Upon pre- viewing the edit or viewing changes, the malicious code executes in the context of the Administrator's session. SHORT TERM SOLUTION: Do not include another user's custom script when previewing or showing changes. These pages should only allow users to edit and view code. LONG TERM SOLUTION: The custom JavaScript system has several deficiencies. Consider deprecating this functionality and allowing users to customize the site using client-side code instead -------------------------- **Patches**: {F39117} - 1.24: {F39117} - 1.23: {F106179} - 1.19: {F106178} **Affected Versions**: **Type**: **CVE**: maybe?

FINDING ID: iSEC-WMF1214-10 TARGETS: Users custom scripts, such as http://devwiki/w/index.php?title=User:Foo/common.js&action= submit . DESCRIPTION: When editing any user's custom JavaScript, the script is executed whenever the ``Show Preview'' or ``Show Changes'' buttons are clicked. This could allow an attacker to trick another user into executing JavaScript which hijacks their session. Because privileged users can edit the JavaScript of lower privileged users, this could lead to privilege escalation. EXPLOIT SCENARIO: A low-privileged user adds some complex custom JavaScript to their account, with malicious code embedded within that directs people to a fake login screen or performs actions on the victim's behalf. The user complains to an Administrator that they are having difficulty with their custom ``skin'', and asks the Administrator to change a small portion of the script for them. Upon pre- viewing the edit or viewing changes, the malicious code executes in the context of the Administrator's session. SHORT TERM SOLUTION: Do not include another user's custom script when previewing or showing changes. These pages should only allow users to edit and view code. LONG TERM SOLUTION: The custom JavaScript system has several deficiencies. Consider deprecating this functionality and allowing users to customize the site using client-side code instead -------------------------- **Patches**: {F39117} - 1.24: {F39117} - 1.23: {F106179} - 1.19: {F106178} **Affected Versions**: **Type**: **CVE**: maybe?