Reported by Nicolas Grégoire.
We already set nosniff, so Chrome/Opera shouldn't be affected. But it probably makes sense to prepend our jsonp with /**/ like rails did https://github.com/rails/rails/pull/16109/files.
Hello,
it seems that the "api.php" file included in MediaWiki is vulnerable to
a JSONP injection (CVE-2014-4671), which can be abused to bypass the
Same Origin Policy in Flash.
More details on the underlying bug:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
Proofs of concept:
http://www.mediawiki.org/w/api.php?action=query&format=json&callback=pwned
https://en.wikipedia.org/w/api.php?action=query&format=json&callback=pwned
As far as I know, several people are already aware of this MediaWiki
vulnerability.
Regards,
Nicolas Grégoire
Version: 1.24rc
Severity: normal