[Note to Security team: This Bugzilla ticket got filed under "MediaWiki" instead of "Security" product and hence is already known to the public, e.g. via http://article.gmane.org/gmane.org.wikimedia.mediawiki.bugs/359688 . Maybe also because http://www.mediawiki.org/wiki/Security does not mention Bugzilla? :-/ ]

I'm not sure if this is a regression, since that code hasn't changed much since Tim's patch for 28534. If you change the reported url to alert(1), as the issue was reported in 28524, instead of alert(document.cookie), you correctly get the IE redirect.

I'm not sure if it was intentional in that patch or not, but it seems (to me) that findIE6Extension doesn't correctly detect the extension if there are an even number of . characters in the url, since $pos = $nextPos + 1; will walk past the second . character, and then not detect that there was a . followed by legal characters.

If that wasn't intentional, then changing that to $pos = $nextPos; should fix the issue.

Created attachment 13095
Patch with unit test

Confirmed XSS on mediawiki.org in IE6. Skipping the character after a dot is definitely unintentional.

Attached:

bugzilla wrote:

Thanks, I applied the patch to my installation, and the scanmyserver.com service does no longer detect this issue.

(In reply to comment #3)

Created attachment 13095 [details]
Patch with unit test

Confirmed XSS on mediawiki.org in IE6. Skipping the character after a dot is
definitely unintentional.

Attached:

Change 82528 had a related patch set (by Tim Starling) published:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82528

Change 82528 merged by jenkins-bot:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82528

Change 82536 had a related patch set uploaded by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82536

Change 82538 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82538

Change 82540 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82540

Change 82542 had a related patch set uploaded by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82542

Change 82544 had a related patch set uploaded by CSteipp:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82544

Change 82546 had a related patch set uploaded by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82546

Change 82536 merged by CSteipp:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82536

Change 82540 merged by jenkins-bot:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82540

Change 82544 merged by jenkins-bot:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82544

Change 82538 merged by jenkins-bot:
SECURITY: Sanitize ResourceLoader exception messages

https://gerrit.wikimedia.org/r/82538

Change 82546 merged by jenkins-bot:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82546

Change 82542 merged by jenkins-bot:
SECURITY: Fix extension detection with 2 .'s

https://gerrit.wikimedia.org/r/82542

[restoring RESOLVED FIXED state which was set before the Gerrit Notification Bot inserted links to the Gerrit patchsets]

This issue was assigned CVE-2013-4303