-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brion Vibber wrote:
Edward Z. Yang wrote:
See http://ha.ckers.org/blog/20070220/mediawiki-192-utf-7-xss/ for details. I'm sure we get these all the time, but since RSnake picked it up it probably will get a bit more publicity than normal. Has it been fixed on the trunk yet?
Haven't heard of it before now, so I'll take a look.
Fixed on trunk in r20007.
As with the previous (non-UTF7-autodetection-based) bug mentioned, this only affects wikis with $wgUseAjax enabled, which is off by default.
I went through and added preemptive charset headers in various other places (mostly custom HTTP error output) though I didn't notice anything that looked exploitable.
Will backport to release branches and put out bugfix releases shortly.
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)