[Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Thorsten Glaser
tg at mirbsd.de
Mon Dec 17 16:21:15 UTC 2012
Package: mediawiki-extensions-base
Version: 2.9
Severity: grave
Justification: user security hole
Thanks to Joey Hess, who put
<title></yurt></title>
into his feed, and our FusionForge “pink popup”
which displays invalid XHTML immediately, a user
security hole could be identified today during
MediaWiki validation at tarent solutions GmbH
in mediawiki-extensions-base (RSS_Reader) and
gforge-base (Codendi RSS widget).
In mediawiki-extensions-base, this is an actual
user security hole: JavaScript placed, properly
escaped, into an RSS feed item’s title is executed
on the page. (In FusionForge, <script> tags are
stripped, but the invalid </yurt> is still emitted.
I will not file a security bug against FusionForge
because I do not believe it a user security hole
there, but still commit a fix into FF’s git repo.)
I will upload a fixed src:mediawiki-extensions ASAP.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh-static
mediawiki-extensions-base depends on no packages.
Versions of packages mediawiki-extensions-base recommends:
ii mediawiki 1:1.19.3-1tarent1
mediawiki-extensions-base suggests no packages.
-- no debconf information
More information about the Pkg-mediawiki-devel
mailing list