Page MenuHomePhabricator
Create Task
Maniphest T41883

Adding base64-encoded HTML to a page's source code allows HTML injection
Closed, ResolvedPublic
Actions

Description

Author: phorgo

Description:
The extension encodes the rendered HTML to base64 to avoid escape problems with the parser and decodes it after the parser's work is done. But if someone adds encoded HTML to the page's wikitext, it will decoded, too. This allows anyone to inject all kinds of scripts. For example, adding
ENCODED_CONTENT PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
to the wikitext will execute the alert() javascript function with 'Hello, my friend!'.

My idea is to add a random number after ENCODED_CONTENT to make the encoded strings each time different. This could look like this:
ENCODED_CONTENT RAND=123456789 PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
And only if the correct number is matched by the regular expression, the encoded string should be decoded.

Version: unspecified
Severity: major

Details

Reference
bz39883

Related Objects

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:56 AM
bzimport added a project: MediaWiki-extensions-Widgets.
bzimport set Reference to bz39883.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 1 2012, 12:45 PM
Yaron_Koren added a comment.Feb 21 2013, 10:24 PM

Harald - thanks for the excellent diagnosis and suggested fix. I just checked in a fix to this security hole based heavily on your suggestion. As far as I know, the issue is now solved.

Aklapper added a comment.Feb 22 2013, 8:51 AM

Yaron: Commit ID / URL very welcome. Thanks!

Yaron_Koren added a comment.Feb 22 2013, 1:25 PM

Hi,

Alright, here they are:

https://gerrit.wikimedia.org/r/#/c/50288/
https://gerrit.wikimedia.org/r/#/c/50298/

Majr mentioned this in T88964: Arbitrary HTML output possible.Feb 9 2015, 10:00 AM
Kghbln moved this task from Backlog to Resolved tasks on the MediaWiki-extensions-Widgets board.Jan 7 2016, 12:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL