Author: david.pavey
Description:
If you enter:
<script>alert("CSS Vulnerability");</script>
into the query window and click on the 'Find results' button, it will pop up an alert window the the 'CSS Vulnerability' message.
This works on all versions of Media wiki and the semantic extensions I have tried.
Works in both Firefox and IE.
Version: unspecified
Severity: major
URL: http://semantic-mediawiki.org/wiki/Special:Ask
(In reply to comment #0)
If you enter:
<script>alert("CSS Vulnerability");</script>
into the query window and click on the 'Find results' button, it will pop up an
alert window the the 'CSS Vulnerability' message.This works on all versions of Media wiki and the semantic extensions I have
tried.
Works in both Firefox and IE.
Thanks for pointing this out. I will be fixing this today, and make a new SMW release soon afterwards.
(In reply to comment #0)
If you enter:
<script>alert("CSS Vulnerability");</script>
into the query window and click on the 'Find results' button, it will pop up an
alert window the the 'CSS Vulnerability' message.This works on all versions of Media wiki and the semantic extensions I have
tried.
Works in both Firefox and IE.
It looks like this vulnerability has already been fixed. I can not reproduce it using the latest SMW. I'm not sure, but suspect I fixed it in 1.5. What version are you using?
david.pavey wrote:
I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at the semantic-mediawiki site by going to http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in the query window. When I submitted the form, the response page displayed the alert window in both Firefox and IE 6.
Is there a later version of 1.5 that has this fixed?
(In reply to comment #3)
I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at
the semantic-mediawiki site by going to
http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in
the query window. When I submitted the form, the response page displayed the
alert window in both Firefox and IE 6.Is there a later version of 1.5 that has this fixed?
Can confirm.
(In reply to comment #3)
I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at
the semantic-mediawiki site by going to
http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in
the query window. When I submitted the form, the response page displayed the
alert window in both Firefox and IE 6.Is there a later version of 1.5 that has this fixed?
Oops - I meant that it was fixed in 1.5.1, not 1.5.
You can confirm by trying out
1.5.1: http://en.openei.org/wiki/Special:Ask
1.5.2: http://smw.referata.com/wiki/Special:Ask
david.pavey wrote:
We've found the same vulnerability in the 'default' input field on the ask screen. To Replicate:
Go to:
http://semantic-mediawiki.org/wiki/Special:Ask
and enter:
'><script>alert("CSS Vulnerability");</script>
in the mainlabel, intro, outro, or default input fields. They all allow the script to execute when the results are returned.
Dave
Thanks for reporting this.
The issue should be fixed after this commit: https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Special:Code/MediaWiki/75871