Page MenuHomePhabricator

Mitigate CVE-2014-4671 (jsonp flash)
Closed, ResolvedPublic

Description

Reported by Nicolas Grégoire.

We already set nosniff, so Chrome/Opera shouldn't be affected. But it probably makes sense to prepend our jsonp with /**/ like rails did https://github.com/rails/rails/pull/16109/files.

Hello,

it seems that the "api.php" file included in MediaWiki is vulnerable to
a JSONP injection (CVE-2014-4671), which can be abused to bypass the
Same Origin Policy in Flash.

More details on the underlying bug:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Proofs of concept:
http://www.mediawiki.org/w/api.php?action=query&format=json&callback=pwned
https://en.wikipedia.org/w/api.php?action=query&format=json&callback=pwned

As far as I know, several people are already aware of this MediaWiki
vulnerability.

Regards,
Nicolas Grégoire


Version: 1.24rc
Severity: normal

Details

Reference
bz68187

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:26 AM
bzimport set Reference to bz68187.
bzimport added a subscriber: Unknown Object (MLST).

Created attachment 15960
Patch

As far as I know, several people are already aware of this MediaWiki
vulnerability.

Nice of any of them to tell us. At least Nicolas was thoughtful.

attachment 0001-API-Prepend-a-comment-to-JSONP-output.patch ignored as obsolete

Created attachment 15961
Prepend jsonp callback with comment

I did the same patch, so I think we're on the same page. I just made a shorter comment, and added a unit test.

Attached:

21:02 csteipp: deployed fix for bug68187

Created attachment 16079
Backport to REL1_22

This is the backport to REL1_22 branch. Tested the prepend in my local instance, works. If someone could verify, this would be great!

Attached:

Created attachment 16080
Backport to REL1_19

This is the backport to REL1_19 branch. Tested the prepend in my local instance, works. If someone could verify, this would be great!

Attached:

Patch works with REL1_23. Tested the prepend in my local instance, works.

Adding early access for Wikia and Debian

Backports all seem to work fine. +2.

Moved to product MediaWiki as the fix is published now.

I see this was merged a while back, so closing.