[Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

Jonathan Wiltshire jmw at debian.org
Mon Dec 17 16:50:52 UTC 2012

Control: tag -1 + upstream security

On 2012-12-17 16:21, Thorsten Glaser wrote:
> Package: mediawiki-extensions-base
> Version: 2.9
> Severity: grave
> Justification: user security hole
> Thanks to Joey Hess, who put
> 	<title></yurt></title>
> into his feed, and our FusionForge “pink popup”
> which displays invalid XHTML immediately, a user
> security hole could be identified today during
> MediaWiki validation at tarent solutions GmbH
> in mediawiki-extensions-base (RSS_Reader) and
> gforge-base (Codendi RSS widget).
> In mediawiki-extensions-base, this is an actual
> user security hole: JavaScript placed, properly
> escaped, into an RSS feed item’s title is executed
> on the page. (In FusionForge, <script> tags are
> stripped, but the invalid </yurt> is still emitted.
> I will not file a security bug against FusionForge
> because I do not believe it a user security hole
> there, but still commit a fix into FF’s git repo.)

At a quick glance this appears to affect upstream [1, as far as I'm 
able to find out]. Can you confirm this and have you sought out a CVE 

The window of opportunity is small but the impact could be significant 
(drive-by downloads, session theft, XSS etc).

1: http://www.mediawiki.org/wiki/Extension:RSS_Reader

Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
             8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

More information about the Pkg-mediawiki-devel mailing list