Wolfe, Jeff wrote:
Hi All,
I apologize if this isn't the place to report this, but an colleague and I
uncovered a cross site scripting bug that seems to be in the 1.5 branch.
I've seen it in 1.5b4. Exploiting it easy. The contents of the search box
are placed verbatim on the search results page. This means you can place
any HTML you want in the search and up it comes. Since the search
parameters are passed on the URL, it's a no-brainer to create an URL with
offending content. Add the following URL to any 1.5b4 site and you should
see a java script alert box pop up:
<snip>
>I have not seen this earlier than the 1.5 branch, and it would seem
>Wikipedia and a few others are doing something different from the default
>which prevents the issue. One simple workaround is to change the
>'searchquery' message to not use the $1 parameter for now.
Thanks for the catch!
The bug was introduced in CVS HEAD on June 24, when an experimental
change to formatting of page subtitles was made, and then only partially
removed. The search page's subtitle ended up left without any
normalization of its output.
Our sites on Wikimedia would not have been affected by this since we've
been running a custom search plugin which replaces the entire
Special:Search code, but third-party sites running the beta code would be.
(In the future please feel free to report security issues by private
mail, or private message on IRC. Generally speaking it's nice to have a
patch ready before public disclosure, even if this is only a few hours.)
Ashar Voultoiz wrote:
Fixed it by using Sanitizer::removeHTMLtags on the
'search' input. It
fixes the issue but might have a side effect somewhere.
I commited the patch in REL1_5 and HEAD.
I've committed a corrected fix for this and a few other
(non-exploitable) subtitle bugs from the above change.
For the impatient, Hashar's and my patches can be grabbed from the
commits list here:
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-August/010859.html
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-August/010863.html
I'll be releasing a 1.5rc3 tonight which includes these fixes as well as
a fixes for failing upgrades from 1.4 wikis.
-- brion vibber (brion @
pobox.com)