Am 16.09.2011 01:12, schrieb Daniel Friesen:
Looking over an extension that was already badly
coded, I realized
there's yet another type of injection vulnerability we have to consider
when coding.
CSS injection vulnerabilities.
Normally MediaWiki sanitizes any style="" tag created by user input.
Things like background-image's are stripped out. They can be used to
track users, as a type of spam, and if you're hitting IE users it's
possible you could do even more using a htc file. Oh right, and of
course there's the lovely ie expression(...) which allows raw JavaScript
to be injected right into css.
Daniel,
please can you add the essentials of your important information
regarding CSS injection vulnerabilities via extensions
to the relevant pages in the MediaWiki Developer's Guide
http://www.mediawiki.org/wiki/MDG
I guess, your information should be added to some pages in section Security
and some pages in section Extensions, SpecialPages, hooks & Co.,
Tom