Last modified: 2011-02-02 14:56:11 UTC
If you enter: <script>alert("CSS Vulnerability");</script> into the query window and click on the 'Find results' button, it will pop up an alert window the the 'CSS Vulnerability' message. This works on all versions of Media wiki and the semantic extensions I have tried. Works in both Firefox and IE.
(In reply to comment #0) > If you enter: > > <script>alert("CSS Vulnerability");</script> > > into the query window and click on the 'Find results' button, it will pop up an > alert window the the 'CSS Vulnerability' message. > > This works on all versions of Media wiki and the semantic extensions I have > tried. > Works in both Firefox and IE. Thanks for pointing this out. I will be fixing this today, and make a new SMW release soon afterwards.
(In reply to comment #0) > If you enter: > > <script>alert("CSS Vulnerability");</script> > > into the query window and click on the 'Find results' button, it will pop up an > alert window the the 'CSS Vulnerability' message. > > This works on all versions of Media wiki and the semantic extensions I have > tried. > Works in both Firefox and IE. It looks like this vulnerability has already been fixed. I can not reproduce it using the latest SMW. I'm not sure, but suspect I fixed it in 1.5. What version are you using?
I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at the semantic-mediawiki site by going to http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in the query window. When I submitted the form, the response page displayed the alert window in both Firefox and IE 6. Is there a later version of 1.5 that has this fixed?
(In reply to comment #3) > I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at > the semantic-mediawiki site by going to > http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in > the query window. When I submitted the form, the response page displayed the > alert window in both Firefox and IE 6. > > Is there a later version of 1.5 that has this fixed? Can confirm.
(In reply to comment #3) > I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at > the semantic-mediawiki site by going to > http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in > the query window. When I submitted the form, the response page displayed the > alert window in both Firefox and IE 6. > > Is there a later version of 1.5 that has this fixed? Oops - I meant that it was fixed in 1.5.1, not 1.5. You can confirm by trying out 1.5.1: http://en.openei.org/wiki/Special:Ask 1.5.2: http://smw.referata.com/wiki/Special:Ask
We've found the same vulnerability in the 'default' input field on the ask screen. To Replicate: Go to: http://semantic-mediawiki.org/wiki/Special:Ask and enter: '><script>alert("CSS Vulnerability");</script> in the mainlabel, intro, outro, or default input fields. They all allow the script to execute when the results are returned. Dave
Thanks for reporting this. The issue should be fixed after this commit: https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Special:Code/MediaWiki/75871