Page MenuHomePhabricator
Create Task
Maniphest T30450

Backslash-escaped comments allow CSS injection vulnerability
Closed, ResolvedPublic
Actions

Description

Wikipedia user Suffusion of Yellow discovered a CSS injection vulnerability, which occurs when CSS comments /* ... */ are escaped with backslashes: \2f\2a ... \2a\2f. The bug is due to an error in the CSS escape sequence normalisation code which we introduced to fix bug 23687.

As with any CSS injection vulnerability, the impact is complete account compromise (XSS) for Internet Explorer users, and possible privacy loss due to arbitrary remote image embedding for users of other browsers.

Version: 1.16.x
Severity: normal

Details

Reference
bz28450
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL