Hi All,
I apologize if this isn't the place to report this, but an colleague and I uncovered a cross site scripting bug that seems to be in the 1.5 branch. I've seen it in 1.5b4. Exploiting it easy. The contents of the search box are placed verbatim on the search results page. This means you can place any HTML you want in the search and up it comes. Since the search parameters are passed on the URL, it's a no-brainer to create an URL with offending content. Add the following URL to any 1.5b4 site and you should see a java script alert box pop up:
index.php/Special:Search?search=%3Cbody+onload%3D%22javascript%3Aalert%28%27 cross+site+script+testing+shows+you+are+vulnerable%27%29%3B%22%3E%3Cb%3E%3Ci %3Ecross+site+script+test%3C%2Fi%3E%3C%2Fb%3E%3C%2Fbody%3E
As example in the wild (sorry, Gentoo) as of this writing: http://gentoo-wiki.com/index.php/Special:Search?search=%3Cbody+onload%3D%22j avascript%3Aalert%28%27cross+site+script+testing+shows+you+are+vulnerable%27 %29%3B%22%3E%3Cb%3E%3Ci%3Ecross+site+script+test%3C%2Fi%3E%3C%2Fb%3E%3C%2Fbo dy%3E
I have not seen this earlier than the 1.5 branch, and it would seem Wikipedia and a few others are doing something different from the default which prevents the issue. One simple workaround is to change the 'searchquery' message to not use the $1 parameter for now.
Keep the faith, Jeff
Wolfe, Jeff wrote:
Hi All,
I apologize if this isn't the place to report this, but an colleague and I uncovered a cross site scripting bug that seems to be in the 1.5 branch. I've seen it in 1.5b4. Exploiting it easy. The contents of the search box are placed verbatim on the search results page. This means you can place any HTML you want in the search and up it comes. Since the search parameters are passed on the URL, it's a no-brainer to create an URL with offending content. Add the following URL to any 1.5b4 site and you should see a java script alert box pop up:
<snip>
I have not seen this earlier than the 1.5 branch, and it would seem Wikipedia and a few others are doing something different from the default which prevents the issue. One simple workaround is to change the 'searchquery' message to not use the $1 parameter for now.
Fixed it by using Sanitizer::removeHTMLtags on the 'search' input. It fixes the issue but might have a side effect somewhere.
I commited the patch in REL1_5 and HEAD.
Wolfe, Jeff wrote:
Hi All,
I apologize if this isn't the place to report this, but an colleague and I uncovered a cross site scripting bug that seems to be in the 1.5 branch. I've seen it in 1.5b4. Exploiting it easy. The contents of the search box are placed verbatim on the search results page. This means you can place any HTML you want in the search and up it comes. Since the search parameters are passed on the URL, it's a no-brainer to create an URL with offending content. Add the following URL to any 1.5b4 site and you should see a java script alert box pop up:
<snip>
I have not seen this earlier than the 1.5 branch, and it would seem Wikipedia and a few others are doing something different from the default which prevents the issue. One simple workaround is to change the 'searchquery' message to not use the $1 parameter for now.
Thanks for the catch!
The bug was introduced in CVS HEAD on June 24, when an experimental change to formatting of page subtitles was made, and then only partially removed. The search page's subtitle ended up left without any normalization of its output.
Our sites on Wikimedia would not have been affected by this since we've been running a custom search plugin which replaces the entire Special:Search code, but third-party sites running the beta code would be.
(In the future please feel free to report security issues by private mail, or private message on IRC. Generally speaking it's nice to have a patch ready before public disclosure, even if this is only a few hours.)
Ashar Voultoiz wrote:
Fixed it by using Sanitizer::removeHTMLtags on the 'search' input. It fixes the issue but might have a side effect somewhere.
I commited the patch in REL1_5 and HEAD.
I've committed a corrected fix for this and a few other (non-exploitable) subtitle bugs from the above change.
For the impatient, Hashar's and my patches can be grabbed from the commits list here: http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-August/010859.html http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-August/010863.html
I'll be releasing a 1.5rc3 tonight which includes these fixes as well as a fixes for failing upgrades from 1.4 wikis.
-- brion vibber (brion @ pobox.com)
mediawiki-l@lists.wikimedia.org