Last modified: 2008-05-30 17:14:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 7303 - overly-permissive CSS restrictions allow spoofing of login link
overly-permissive CSS restrictions allow spoofing of login link
Status: RESOLVED DUPLICATE of bug 8679
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: css
  Show dependency treegraph
 
Reported: 2006-09-13 04:39 UTC by Chris Thomas (CTho)
Modified: 2008-05-30 17:14 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Chris Thomas (CTho) 2006-09-13 04:39:45 UTC
It's possible to insert something into an article's text that allows you to put
something on top of the links at the top right.  If crafted properly, it can
look similar enough to the real "Sign in / create account" link to potentially
fool an inexperienced or careless user into visiting a fake login page hosted by
a malicious user.

Apologies for the page-widening testcase code (the spaces are necessary so that
it looks right for logged-in users by hiding their other links):

<span class="plainlinks" style="background: #EEEEEE; position: absolute; right:
0; top:-35px; font-weight: bold;
z-index:5">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
[http://google.com/ Sign in / create account]</span>

This example does not work properly for Internet Explorer, but it's probably
possible to get that working too.
Comment 1 Andrew Garrett 2006-09-13 04:44:35 UTC
Confirm that it works under FF1.5, see
[http://wiki.epstone.net/w/index.php?title=Home_Page&oldid=2918].
Comment 2 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-09-13 05:35:38 UTC
This can be maliciously added to any page (other than the main page), and might
not be immediately evident to vandal-fighters.  Bumping severity to major.  What
could we do about it, though?
Comment 3 Dan Li 2006-09-15 01:19:15 UTC
I was going to suggest disallowing z-index but found out that's not even necessary.

Would this really not be immediately evident to vandal-fighters? (Unless it's on
a user page; that might go unnoticed...)
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-09-15 01:27:15 UTC
Yeah, I overreacted.  Any large-scale attempt at this would be spotted quite
quickly.  Still should be fixed *if* anyone can think of any way to do it
without shutting out legitimate uses.  Restricting content to the content box is
probably a good idea from a security perspective.
Comment 5 Chris Thomas (CTho) 2006-09-15 01:44:40 UTC
Dan, what about giving the real link a higher z-index and then disallowing it
for article contents?  For browsers that understand z-index, that seems like it
might help.
Alternately, what about disallowing negative positions?  That would make
anything above or to the left of the article content safe, while only causing
trouble for people who want to do really really convoluted layouts.
Comment 6 Brion Vibber 2008-05-30 17:14:21 UTC

*** This bug has been marked as a duplicate of bug 8679 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links