Page MenuHomePhabricator
Create Task
Maniphest T9888

XSS on search form
Closed, ResolvedPublic
Actions

Description

Author: bugzilla-wikipedia

Description:

Problem

It is possible to conduct a cross-site-scripting attack against the search page
when it displays Google and Yahoo search forms. There is a lack of validation
before returning the original query to the user.

Affected

It seems that only French, Dutch and Russian pages are displaying Google and
Yahoo search forms.

Attack vector

"><script>alert('XSS')</script>

PoC

http://fr.wikipedia.org/wiki/Special:Search?search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go=Go
http://nl.wikipedia.org/wiki/Special:Search?search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go=Go
http://ru.wikipedia.org/wiki/Special:Search?search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go=Go

Solution

Filter :)

Version: unspecified
Severity: critical
URL: http://xx.wikipedia.org/wiki/Special:Search

Details

Reference
bz7888

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 9:28 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz7888.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Nov 12 2006, 5:38 PM
bzimport added a comment.Nov 12 2006, 6:55 PM

robchur wrote:

Confirmed, though haven't identified if it's the Lucene extension, the built-in
search or something special about the fallback behaviour at the moment. Looking now.

bzimport added a comment.Nov 12 2006, 7:18 PM

robchur wrote:

Aha. http://fr.wikipedia.org/wiki/MediaWiki:Monobook.js seems to have a useful
little hack (do a find in your browser for "yahooSearch") which contains the
vulnerability.

brooke added a comment.Nov 14 2006, 12:59 AM

I've corrected the bad JS code on these sites.

Sigh.

bzimport added a comment.Nov 14 2006, 8:44 AM

robchur wrote:

Another vote against custom JavaScript. Sadly, administrators are not
necessarily l33t script writers as well...

bzimport added a comment.Nov 14 2006, 4:29 PM

bugzilla-wikipedia wrote:

This specific XSS was corrected.
What about other vectors?

Attack vector

"<>"<script>alert('XSS')</script>

PoC

http://fr.wikipedia.org/wiki/Special:Search?search=%22%3C%3E%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go=Go
http://nl.wikipedia.org/wiki/Special:Search?search=%22%3C%3E%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go=Go
http://ru.wikipedia.org/wiki/Special:Search?search=%22%3C%3E%22%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&go=Go

Bug reopened.

brooke added a comment.Nov 14 2006, 4:39 PM

Man, I have JavaScript's class library (such as it is). String's replace() method only replaces the first occurance
by default. *boggle*

Fixed.

bzimport added a comment.Nov 14 2006, 8:28 PM

dake.cdx wrote:

Another vote against custom JavaScript. Sadly, administrators are not
necessarily l33t script writers as well...

Well, how long have we been waiting for a better search page ? Administrators
are just patching :) Though for that XSS stuff I plead 100% guilty, I completely
forgot the XSS issue. Another piece of code I made, the array generator
("popupTableau") is more secure (I hope) as inputs go through JS parsing functions.

bzimport added a comment.Nov 14 2006, 8:29 PM

dake.cdx wrote:

btw. Brion is right, JS sucks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL