[Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

[Thorsten Glaser]

On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:

> At a quick glance this appears to affect upstream
> Can you confirm this

Yes, it does.

> have you sought out a CVE 
> number?

No, I’ve got no idea how all this CVE stuff works.

Do you volunteer, or one of the Mediawiki guys lurking here?
Otherwise I’d just open an entry in the MW bugtracker now,
if extensions are tracked there, that is.

> The window of opportunity is small but the impact could be significant 
> (drive-by downloads, session theft, XSS etc).

Actually, it’s not small. I’ve got Planet Debian in a
test project, both as Codendi Widget on the Group Summary
page of FusionForge and on a Wiki page demonstrating this
extension. I got invalid XHTML on both. I then added a test
feed – http://www.mirbsd.org/tag_event.rss hand-edited to
add a check for this vulnerability, will *not* stay having
this content – to a new page and got a Javascript popup in
the Wiki, none (but still an xmlstarlet error on <yurt/>)
on the Forge.

Planet Debian is somewhat trusted but has hundreds of feeds
it aggregates. The situation elsewhere could be much worse,
therefore I believe the impact is not low. I’ve got no idea
what other feeds people have on their sites. And _then_ most
feeds are served using http not https… (in fact, I haven’t
even tried https myself… why?) MITM fun, especially when the
Wiki is then served using https, to a browser that may have
been configured to trust https more than http.

I guess stealing Mediawiki credentials is even easy with it.

I bet joeyh is amusing himself that the Yurt is good for
something even after its dismantling ☺

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke