On Jan 11, 2005, at 11:07 PM, Gabriel Wicke wrote:
You can comment out the redirect part in RawPage.php, about 2/3 down. I'm not sure it even makes a difference for IE, but haven't thoroughly tested it.
DO NOT COMMENT THAT OUT! It's a workaround for an IE security flaw, for which we made a security fix release in late September.
Here's a demonstration of the flaw:
* Log in to your wiki. * Make a wiki page [[Evil.html]] * Put in it this text: <script type="text/javascript">alert(document.cookie);</script> * Comment out that check in RawPage.php * In IE, go to http://yourwiki/Evil.html?action=raw * Watch as your session cookie, user ID and name, and login token (if using 'remember my password') are displayed in a popup dialog.
Even though the wiki sends a "Content-type: text/x-wiki" header, the combination of a ".html" "file extension" on the URL and a "<script" in the first 200 bytes of the data tells IE that it should interpret the data as HTML -- including execution of any embedded JavaScript. Instead of a popup, this could be sending everything needed to log in as you to a malicious web site or submitting forms on the wiki with your privileges (editing pages, deleting, blocking, unblocking).
In Windows XP SP2, IE now has an option to turn off some of this autodetection, though I'm not sure it fixes all such holes. The unsafe behavior is on by default.
The workaround is to require that a 'raw' access be made from a canonical script URL, which will have a nice boring .php or .phtml extension and doesn't trigger the IE type autodetection bug. I did this with a redirect (instead of simply a 403 rejection) to preserve existing links.
-- brion vibber (brion @ pobox.com)