Reported to security@, confirmed in master. The fix in the report fixes this particular issue, although I'm suspicious that we'll find another way to inject javascript in the array returned from pageInfo().
I have found an XSS vulnerability in the MediaWiki info action. If the default sort key is set to a string containing a script, the script will be executed when the page is viewed using the info action. For example, if the wikitext
{{DEFAULTSORT:<script>alert("hi");</script>}}
is included on a page and then the page is views with action=info (accessible using the “Page information” link in the Tools sidebar), the code will be executed displaying an alert box. This can be reproduced by creating a page named Test containing only the above text and then viewing the page with the URL http://url.to.wiki/index.php?title=Test&action=info. The vulnerability can be remediated by adding one line of code:
$sortKey = htmlentities($sortKey, ENT_QUOTES);
to the file mediawiki/includes/actions/InfoAction.php before line 265 (line number according to http://git.wikimedia.org/blob/mediawiki%2Fcore.git/dd3de3dbb71f09fca8a97642626e3c84d562d8f2/includes%2Factions%2FInfoAction.php) yielding
…
// Default sort key
$sortKey = $title->getCategorySortkey();
if ( !empty( $pageProperties['defaultsort'] ) ) {
$sortKey = $pageProperties['defaultsort'];
}
$sortKey = htmlentities($sortKey, ENT_QUOTES);
$pageInfo['header-basic'][] = array( $this->msg( 'pageinfo-default-sort' ), $sortKey );
…
Dr. Cindy Cicalese
Lead Software Systems Engineer
The MITRE Corporation
Version: unspecified
Severity: normal