[Pkg-mediawiki-devel] Bug#696179: Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection

[Thorsten Glaser]

Dixi quod…

> extension. I got invalid XHTML on both. I then added a test
> feed – http://www.mirbsd.org/tag_event.rss hand-edited to
> add a check for this vulnerability, will *not* stay having

I put it up here now: http://www.mirbsd.org/b696179.rss
I expect this to stay there for a while.

The correct titles (as shown by the browser) for the first
*two* items are:
• Vulnerability <yurt>test</yurt>: <script type="text/javascript">alert("title is vulnerable");</script>
• ’M &back.

Any fix that changes the second one to “’M &back.” is broken.
Anything that shows less than the above text may or may not be
broken. Anything that lets <yurt>test</yurt> through into the HTML
is broken, script or not. (This is what the Codendi widget does.)

The method to render a feed’s <title>foo</title> is basically:
① take “foo”
② convert any entities (only < > & and numeric are
  allowed by the spec) back to text
③ sanitise that
④ output the result

Sanitising here means that the one-time-entity-decoded foo is
supposed to be plaintext, not HTML. I use the following sequence
for sanitising such strings in FusionForge/PHP:
ⓐ run through html_entity_decode which will decode it if it was
  valid entities, and is a nop otherwise
ⓑ run through htmlspecialchars, which will encode everything that
  must be encoded again; if the previous step decoded, the result
  of the two operations in a row will be a nop (save for things
  like “"” which do not need encoding); otherwise, it will have
  been secured
In FusionForge, this is util_html_secure().

Of course, this will not work on the message body. I’ll look at
the MW sanitiser later. (I remembered I’m off work tomorrow and
may not have time to do so before Wednesday thus. I’m supposed
to do *all* household chores tomorrow… that have queued up…)

bye,
//mirabilos
-- 
15:41⎜<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-)