Last modified: 2008-05-30 17:14:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9303, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 7303 - overly-permissive CSS restrictions allow spoofing of login link
overly-permissive CSS restrictions allow spoofing of login link
Status: RESOLVED DUPLICATE of bug 8679
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
All All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
Blocks: css
  Show dependency treegraph
Reported: 2006-09-13 04:39 UTC by Chris Thomas (CTho)
Modified: 2008-05-30 17:14 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Chris Thomas (CTho) 2006-09-13 04:39:45 UTC
It's possible to insert something into an article's text that allows you to put
something on top of the links at the top right.  If crafted properly, it can
look similar enough to the real "Sign in / create account" link to potentially
fool an inexperienced or careless user into visiting a fake login page hosted by
a malicious user.

Apologies for the page-widening testcase code (the spaces are necessary so that
it looks right for logged-in users by hiding their other links):

<span class="plainlinks" style="background: #EEEEEE; position: absolute; right:
0; top:-35px; font-weight: bold;
[ Sign in / create account]</span>

This example does not work properly for Internet Explorer, but it's probably
possible to get that working too.
Comment 1 Andrew Garrett 2006-09-13 04:44:35 UTC
Confirm that it works under FF1.5, see
Comment 2 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-09-13 05:35:38 UTC
This can be maliciously added to any page (other than the main page), and might
not be immediately evident to vandal-fighters.  Bumping severity to major.  What
could we do about it, though?
Comment 3 Dan Li 2006-09-15 01:19:15 UTC
I was going to suggest disallowing z-index but found out that's not even necessary.

Would this really not be immediately evident to vandal-fighters? (Unless it's on
a user page; that might go unnoticed...)
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-09-15 01:27:15 UTC
Yeah, I overreacted.  Any large-scale attempt at this would be spotted quite
quickly.  Still should be fixed *if* anyone can think of any way to do it
without shutting out legitimate uses.  Restricting content to the content box is
probably a good idea from a security perspective.
Comment 5 Chris Thomas (CTho) 2006-09-15 01:44:40 UTC
Dan, what about giving the real link a higher z-index and then disallowing it
for article contents?  For browsers that understand z-index, that seems like it
might help.
Alternately, what about disallowing negative positions?  That would make
anything above or to the left of the article content safe, while only causing
trouble for people who want to do really really convoluted layouts.
Comment 6 Brion Vibber 2008-05-30 17:14:21 UTC

*** This bug has been marked as a duplicate of bug 8679 ***

Note You need to log in before you can comment on or make changes to this bug.