Page MenuHomePhabricator
Create Task
Maniphest T53801

Upload Wizard exploitable with evil filenames
Closed, ResolvedPublic
Actions

Description

Linux is very permissive with its file names (compared to Windows). I was able to create a file with the following name:
<a onmouseover="alert('XSS')">abc</a>test.png

Then I uploaded this file and when hovering the title, an XSS alert is shown.

Version: unspecified
Severity: normal

Details

Reference
bz51801

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:58 AM
bzimport added a project: UploadWizard.
bzimport set Reference to bz51801.
Rillke created this task.Jul 22 2013, 10:53 AM
Rillke added a comment.Jul 22 2013, 10:53 AM

(js-client exploitable)

gerritbot added a comment.Jul 22 2013, 11:08 AM

Change 75090 had a related patch set uploaded by Rillke:
Filename: Using text instead of HTML to avoid exploitable

https://gerrit.wikimedia.org/r/75090

gerritbot added a comment.Jul 22 2013, 12:09 PM

Change 75090 merged by jenkins-bot:
Filename: Using text instead of HTML to avoid exploitable

https://gerrit.wikimedia.org/r/75090

Gilles added a project: Multimedia.Dec 4 2014, 9:32 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.Dec 4 2014, 9:34 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL