[Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

Thorsten Glaser t.glaser at tarent.de
Mon Dec 17 17:37:21 UTC 2012 

On Mon, 17 Dec 2012, Platonides wrote:

> http://www.mediawiki.org/wiki/Extension:RSS_Reader seems to live
> exclusively at the wiki page, instead of being at a repository.
[…]
> Just edit the page when fixing the bug.

Oh, okay. I just did so.


On Mon, 17 Dec 2012, Jonathan Wiltshire wrote:

> (for those following at home: Debian can only issue CVEs for non-public 
> issues AIUI, which is why it's a shame you didn't bring them into the 
> loop before opening a bug.)

Oh, I didn’t know that. I’ve got about zero experience dealing
with security issues. This might show. I’ll listen and learn ☺

(Why? I mean, I’d make all issues public immediately, no?)

> Ok, what I really meant was that you'd have to know someone is using 
> Mediawiki to read your feed, which is probably feasible but I can't 
> imagine there are thousands of people doing so. We don't really know 
> either way, we should probably play it cautious.

Hrm.

tg at eurynome:~ $ fgrep tag_event.rss /var/www/logs/access_log
[…]
fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:16:08:25 +0000] -:-:IPv4"www.mirbsd.org" "GET /tag_event.rss HTTP/1.0" 200 66185 "-" "-"
fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:17:07:49 +0000] -:-:IPv4"www.mirbsd.org" "GET /tag_event.rss HTTP/1.1" 200 66185 "http://www.mirbsd.org/tag_event.rss" "SimplePie/1.1.3 (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20081219"

SimplePie is used by FusionForge (that’s the thing which
actually does strip <script> but not <yurt> or </yurt>;
maybe I should clone the bug, with lower severity, against
it to ask they should validate that titles don’t contain
HTML?), and the other is probably Mediawiki (there’s only
a third UA in my access_log, and that’s Google’s feed
fetcher, so it has to be this one, and the IPv4 matches).

So when you get requests without a referer or UA, which
are *not* periodic, from some site, you can assume with
a not-low chance that it’s Mediawiki. (Feeds are read
upon first access and then cached for a while.)

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

More information about the Pkg-mediawiki-devel mailing list