= T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping =
== Flaw ==
Potential XSS when `$wgShowExceptionDetails = false;` is set and an exception is encountered depending on client used.
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.20.x, 1.21.x, 1.22.x, 1.23.x 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T178451
= T128209: Reflected File Download from api.php =
== Flaw ==
== Exploit ==
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T128209
= T165846: BotPasswords doesn't throttle login attempts =
== Flaw ==
When logging in using a Bot Password, users login are not limited.
== Exploit ==
A malicious user can repeatedly try to login via the api using a Bot Password, ignoring any warnings without any restrictions, making guessing passwords a lot easier. With the throttle in place, users are limited in the number of login attempts in a period of time.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
== Reference ==
https://phabricator.wikimedia.org/T165846
= T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password =
== Flaw ==
On a private wiki, the list of its users is also private. Error messages given upon login with an incorrect password make it possible to distinguish if a user has an account on the wiki or not.
This information should not be exposed to an anonymous user.
== Exploit ==
A malicious user can easily find out if the account they are trying to login in as exists on the wiki. This means they can distinguish that they know the account exists, and as such, just need to work out the password.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T134100
= T176247: It's possible to mangle HTML via raw message parameter expansion =
== Flaw ==
When $wgExperimentalHtmlIds is set to true (false by default), certain characters in section IDs don't get percent encoded, including $ which is used for parameter substitution.
== Exploit ==
It is possible to combine this with raw localization message parameter expansion to create malformed HTML. While escalation to full-blown XSS hasn't been demonstrated so far, it remains a possibility.
== Affects ==
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
== Reference ==
https://phabricator.wikimedia.org/T176247
== {T125163}==
===Flaw===
A wikipage with a header containing > in it, may generate a span with an id attribute that has `>` in it in certain (non-default) configs. This in itself is not an issue, but sometimes people try to parse the resulting html using regular expressions instead of a proper html parser. In such cases this can lead to an XSS. As a hardening measure against people doing such things, we no longer allow raw > in quoted attributes.
===Affects===
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
=={T124404}==
===Flaw ===
Stored XSS: Language converter splits the page into components to convert based on a regular expression. Certain input can cause the regex to backtrack excessively. If the backtracking exceeds `pcre.backtrack_limit`, then it is possible to inject html due to incorrect splitting into translation components.
===Exploit ====
Set `$wgLangaugeCode = 'sr';` in LocalSettings.php
set `pcre.backtrack_limit = 10` in php.ini
Put the following in a page
```
-{H|big=>sr-el:script}- foo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
<big>alert(1)</big>
```
View page, with url parameter `variant=sr-el`
===Affects===
MediaWiki versions
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x
=={T119158}==
===Flaw===
In certain code paths, langauge converter glossary rules will get expanded inside attributes. This can lead to XSS on wikis that have language converter enabled
===exploit===
Assuming you have an image named example.png uploaded to your wiki.
Set $wgLanguageCode = 'sr';
Put on a page
```
-{H|abc=>sr-el:" onfocus="alert(1)" onload="alert(2)" data-foo="}-
{{special:Contributions|target=-{}-abc-{}-}}
[[File:Example.png|100px|alt=-{n}-abc-{}-]]
```
visit the page with the url parameter `variant=sr-el` set.
===affects===
1.29.x prior to 1.29.2
1.28.x prior to 1.28.3
1.27.x prior to 1.27.4
and unsupported branches 1.21.x, 1.22.x, 1.23.x, 1.24.x, 1.25.x, 1.26.x