Page MenuHomePhabricator
Create Task
Maniphest T48852

XSS in Semantic Search
Closed, ResolvedPublic
Actions

Description

Author: sancus

Description:
http://semantic-mediawiki.org/wiki/Special:Ask?eq=yes&order_num=ASC&p[default]=3&p[format]=broadtable&p[headers]=show&p[intro]=3&p[limit]='" ns= alert(0x012480) &p[link]=all&p[mainlabel]=3&p[offset]=0&p[outro]=3&po=3&q=3&sort_num=3&title=Special%3aAsk&p[limit]=" javascript=prompt(0) onclick=prompt(0) onmouseover=prompt(/XSSHERE/) onload=prompt(0) onfocus=prompt(0) ns="

The above url produces an alert box when you mouseover the formatSelector select box next to "Format as:"

Version: unspecified
Severity: normal
URL: http://semantic-mediawiki.org/wiki/Special:Ask?eq=yes&order_num=ASC&p[default]=3&p[format]=broadtable&p[headers]=show&p[intro]=3&p[limit]='" ns= alert(0x012480) &p[link]=all&p[mainlabel]=3&p[offset]=0&p[outro]=3&po=3&q=3&sort_num=3&title=Special%3aAsk&p[limit]=" javascript=prompt(0) onclick=prompt(0) onmouseover=prompt(/XSSHERE/) onload=prompt(0) onfocus=prompt(0) ns="

Details

Reference
bz46852

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:39 AM
bzimport added a project: MediaWiki-extensions-SemanticBundle.
bzimport set Reference to bz46852.
bzimport created this task.Apr 3 2013, 6:47 PM
csteipp added a comment.Apr 3 2013, 7:08 PM

Verified on wikitech too.

Adding Ryan and Jeroen.

csteipp added a comment.Apr 3 2013, 7:19 PM

Issue is that Ex:SemanticMediaWiki is using Xml::escapeJsString() to escape $url parameters instead of rawurlencode. $url is then written directly into an element instead of using an Html/Xml builder, which also would have prevented breaking out of the attr.

csteipp added a comment.Apr 3 2013, 7:28 PM

Created attachment 12031
Patch to rawurlencode parameters and use Html::openElement()

Untested, but this should fix the issue. Not sure if it breaks the assumptions of the form processing (Jeroen would probably be the one to comment on that).

Attached:

bug46852.patch1 KBDownload

JeroenDeDauw added a comment.Apr 3 2013, 10:31 PM

https://gerrit.wikimedia.org/r/#/c/57433/

JeroenDeDauw added a comment.Apr 3 2013, 10:32 PM

Don’t think that will break anything - though who knows, sort of hard to tell with a pile of rotten code like Special:Ask :)

csteipp added a comment.Apr 3 2013, 10:39 PM

Hi Jeroen, in the future, please don't publicly post security patches to gerrit until we confirm that our systems are patched.

Adding Niklas so he can patch twn.

JeroenDeDauw added a comment.Apr 3 2013, 10:55 PM

Ok, sorry, was not aware of this process, or even that this bug was not public.

csteipp added a comment.Apr 10 2013, 11:09 PM

Merged by Jeroen

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL