XSS via 'form_name' parameter on Semantic Forms's Special:CreateForm page
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• bzimport
	Jul 3 2012, 6:07 PM

Description

Author: reed

Description:
There's an XSS issue on Semantic MediaWiki's Special:CreateForm page in the 'form_name' parameter.

Example XSS value: ""><script>alert("3")</script>

Video example: http://youtu.be/c1QkVOUEjMQ
Screenshot: http://i1256.photobucket.com/albums/ii488/testfortest/123/ww.png?t=1338819700

This issue was reported to Mozilla by Sony <insecurity.ro@gmail.com>.

Mozilla is tracking this as https://bugzilla.mozilla.org/show_bug.cgi?id=761114.

Version: unspecified
Severity: normal
See Also:
https://bugzilla.mozilla.org/show_bug.cgi?id=761114

Details

Reference: bz38150

Event Timeline

• bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:54 AM

• bzimport added a project: MediaWiki-extensions-Page_Forms.

• bzimport set Reference to bz38150.

• bzimport created this task.Jul 3 2012, 6:07 PM

Created attachment 10820
Use Html::input instead of writing string directly.

Confirmed in 2.4.2. Patch attached.

Attached:

SF_CreateForm.patch840 BDownload

I checked in the change - thanks for the patch. Hopefully this was the last bit of hardcoded HTML in the Semantic Forms code...

reed wrote:

Where can I get an updated copy of Semantic Forms that includes this fix?

It's available already via Git - there's not yet a new downloadable version with the fix. That will hopefully come out soon-ish.

Yaron, I pull it from svn just now (following the link on http://www.mediawiki.org/wiki/Extension:Semantic_Forms/Download_and_installation), and svn does *not* have the fix yet. Which git repo is it in?

reed wrote:

(In reply to comment #5)

Yaron, I pull it from svn just now (following the link on
http://www.mediawiki.org/wiki/Extension:Semantic_Forms/Download_and_installation),
and svn does *not* have the fix yet. Which git repo is it in?

I found it:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/SemanticForms.git;a=tree

Specific commits:
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/SemanticForms.git;a=commit;h=5935a8ff15e019844913c11e2ac8ddac660e2d8e
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/SemanticForms.git;a=commit;h=f7f0c5794b9632477edba22bd2c11682f697a2a1

Oh, yeah - all the documentation still needs to be change from SVN to Git.

Thanks for updating the git link. It looks like the zip files have not been updated:

http://discoursedb.org/SemanticForms/semantic_forms_2.4.2.tar.gz
http://discoursedb.org/SemanticForms/semantic_forms_2.4.2.zip

And the google project for the bundle also has the old version of the files:

https://code.google.com/p/semantic-mediawiki-bundle/

Yaron, can you handle those as well?

No, indeed, those haven't been updated yet - that will happen when there's a new version of Semantic Forms and Semantic Bundle, respectively.

bburton wrote:

When is a new version expected to be released?

Hi - it was released yesterday. :)

bburton wrote:

(In reply to comment #11)

Hi - it was released yesterday. :)

Awesome, do you know how long it should take for https://code.google.com/p/semantic-mediawiki-bundle/downloads/list to be updated?

Cheers

That one could be a while, unfortunately - maybe a month or two.

• csteipp added a project: acl*security.Mar 26 2015, 8:39 PM

• chasemp added a project: Security.Feb 10 2020, 10:53 PM

Restricted Application added a subscriber: Strainu. · View Herald TranscriptFeb 10 2020, 10:53 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM

	F9828: SF_CreateForm.patch
	Nov 22 2014, 12:54 AM

XSS via 'form_name' parameter on Semantic Forms's Special:CreateForm pageClosed, ResolvedPublicActions

Description

Details

Event Timeline

XSS via 'form_name' parameter on Semantic Forms's Special:CreateForm page
Closed, ResolvedPublic
Actions