Last modified: 2011-02-02 14:56:11 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T27340, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 25340 - Cross-site scripting (XSS) vulnerability in Semantic MediaWiki
Cross-site scripting (XSS) vulnerability in Semantic MediaWiki
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
Semantic MediaWiki (Other open bugs)
unspecified
All All
: High major (vote)
: ---
Assigned To: Jeroen De Dauw
http://semantic-mediawiki.org/wiki/Sp...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-27 19:54 UTC by david.pavey
Modified: 2011-02-02 14:56 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description david.pavey 2010-09-27 19:54:05 UTC
If you enter:

<script>alert("CSS Vulnerability");</script>

into the query window and click on the 'Find results' button, it will pop up an alert window the the 'CSS Vulnerability' message.

This works on all versions of Media wiki and the semantic extensions I have tried.
Works in both Firefox and IE.
Comment 1 Jeroen De Dauw 2010-09-29 21:16:31 UTC
(In reply to comment #0)
> If you enter:
> 
> <script>alert("CSS Vulnerability");</script>
> 
> into the query window and click on the 'Find results' button, it will pop up an
> alert window the the 'CSS Vulnerability' message.
> 
> This works on all versions of Media wiki and the semantic extensions I have
> tried.
> Works in both Firefox and IE.

Thanks for pointing this out. I will be fixing this today, and make a new SMW release soon afterwards.
Comment 2 Jeroen De Dauw 2010-09-29 22:44:18 UTC
(In reply to comment #0)
> If you enter:
> 
> <script>alert("CSS Vulnerability");</script>
> 
> into the query window and click on the 'Find results' button, it will pop up an
> alert window the the 'CSS Vulnerability' message.
> 
> This works on all versions of Media wiki and the semantic extensions I have
> tried.
> Works in both Firefox and IE.

It looks like this vulnerability has already been fixed. I can not reproduce it using the latest SMW. I'm not sure, but suspect I fixed it in 1.5. What version are you using?
Comment 3 david.pavey 2010-09-30 14:53:43 UTC
I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at the semantic-mediawiki site by going to http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in the query window. When I submitted the form, the response page displayed the alert window in both Firefox and IE 6.

Is there a later version of 1.5 that has this fixed?
Comment 4 p858snake 2010-09-30 15:02:27 UTC
(In reply to comment #3)
> I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at
> the semantic-mediawiki site by going to
> http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in
> the query window. When I submitted the form, the response page displayed the
> alert window in both Firefox and IE 6.
> 
> Is there a later version of 1.5 that has this fixed?
Can confirm.
Comment 5 Jeroen De Dauw 2010-09-30 22:02:37 UTC
(In reply to comment #3)
> I'm using 1.5.0 as is the semantic-mediawiki.org site. I just reproduced it at
> the semantic-mediawiki site by going to
> http://semantic-mediawiki.org/wiki/Special:Ask and putting the script code in
> the query window. When I submitted the form, the response page displayed the
> alert window in both Firefox and IE 6.
> 
> Is there a later version of 1.5 that has this fixed?

Oops - I meant that it was fixed in 1.5.1, not 1.5.

You can confirm by trying out
1.5.1: http://en.openei.org/wiki/Special:Ask
1.5.2: http://smw.referata.com/wiki/Special:Ask
Comment 6 david.pavey 2010-11-01 15:00:04 UTC
We've found the same vulnerability in the 'default' input field on the ask screen. To Replicate:

Go to:
http://semantic-mediawiki.org/wiki/Special:Ask

and enter:

'><script>alert("CSS Vulnerability");</script>

in the mainlabel, intro, outro, or default input fields. They all allow the script to execute when the results are returned.

Dave
Comment 7 Jeroen De Dauw 2010-11-02 20:04:04 UTC
Thanks for reporting this.

The issue should be fixed after this commit: https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Special:Code/MediaWiki/75871

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links