Last modified: 2013-02-22 13:25:34 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T41883, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 39883 - Adding base64-encoded HTML to a page's source code allows HTML injection
Adding base64-encoded HTML to a page's source code allows HTML injection
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
Widgets (Other open bugs)
unspecified
All All
: High major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-01 12:45 UTC by Harald
Modified: 2013-02-22 13:25 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Harald 2012-09-01 12:45:40 UTC 
The extension encodes the rendered HTML to base64 to avoid escape problems with the parser and decodes it after the parser's work is done. But if someone adds encoded HTML to the page's wikitext, it will decoded, too. This allows anyone to inject all kinds of scripts. For example, adding
ENCODED_CONTENT PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
to the wikitext will execute the alert() javascript function with 'Hello, my friend!'.

My idea is to add a random number after ENCODED_CONTENT to make the encoded strings each time different. This could look like this:
ENCODED_CONTENT RAND=123456789 PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgphbGVydCgnSGVsbG8sIG15IGZyaWVuZCEnKTsKPC9zY3JpcHQ+ END_ENCODED_CONTENT
And only if the correct number is matched by the regular expression, the encoded string should be decoded.
Comment 1 Yaron Koren 2013-02-21 22:24:55 UTC 
Harald - thanks for the excellent diagnosis and suggested fix. I just checked in a fix to this security hole based heavily on your suggestion. As far as I know, the issue is now solved.
Comment 2 Andre Klapper 2013-02-22 08:51:01 UTC 
Yaron: Commit ID / URL very welcome. Thanks!
Comment 3 Yaron Koren 2013-02-22 13:25:34 UTC 
Hi,

Alright, here they are:

https://gerrit.wikimedia.org/r/#/c/50288/
https://gerrit.wikimedia.org/r/#/c/50298/
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links