On 18 Dec 2014, at 06:44, Brian Wolff <bawolff(a)gmail.com> wrote:
== Security fixes in 1.24.1, 1.23.8, 1.22.15 and 1.19.23 ==
* (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML,
which could lead to xss. Permission to edit MediaWiki namespace is
required
to exploit this.
Really? That's stretching the definition of a security bug.
(Remember that mediawiki:copyright is a raw html message, that's
included on many more pages. Not to mention the whole
MediaWiki:Common.js thing)
--bawolff
Not entirely. Unlike message "copyright", the message used on thumb.php
("badtitletext") is not a "raw html" message. It is meant to be parsed
and
displayed regularly. And always was. Except it was re-used for thumb.php, and
forgotten to be parsed there. I won't go into details, but it's exploitable
under the right circumstances.
-- Krinkle