[Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Jonathan Wiltshire
jmw at debian.org
Mon Dec 17 16:50:52 UTC 2012
Control: tag -1 + upstream security
On 2012-12-17 16:21, Thorsten Glaser wrote:
> Package: mediawiki-extensions-base
> Version: 2.9
> Severity: grave
> Justification: user security hole
>
> Thanks to Joey Hess, who put
> <title></yurt></title>
> into his feed, and our FusionForge “pink popup”
> which displays invalid XHTML immediately, a user
> security hole could be identified today during
> MediaWiki validation at tarent solutions GmbH
> in mediawiki-extensions-base (RSS_Reader) and
> gforge-base (Codendi RSS widget).
>
> In mediawiki-extensions-base, this is an actual
> user security hole: JavaScript placed, properly
> escaped, into an RSS feed item’s title is executed
> on the page. (In FusionForge, <script> tags are
> stripped, but the invalid </yurt> is still emitted.
> I will not file a security bug against FusionForge
> because I do not believe it a user security hole
> there, but still commit a fix into FF’s git repo.)
At a quick glance this appears to affect upstream [1, as far as I'm
able to find out]. Can you confirm this and have you sought out a CVE
number?
The window of opportunity is small but the impact could be significant
(drive-by downloads, session theft, XSS etc).
1: http://www.mediawiki.org/wiki/Extension:RSS_Reader
--
Jonathan Wiltshire jmw at debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
More information about the Pkg-mediawiki-devel
mailing list