On 18 Dec 2014, at 06:44, Brian Wolff bawolff@gmail.com wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
- (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's included on many more pages. Not to mention the whole MediaWiki:Common.js thing)
--bawolff
Not entirely. Unlike message "copyright", the message used on thumb.php ("badtitletext") is not a "raw html" message. It is meant to be parsed and displayed regularly. And always was. Except it was re-used for thumb.php, and forgotten to be parsed there. I won't go into details, but it's exploitable under the right circumstances.
-- Krinkle