Last modified: 2013-10-23 23:49:16 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T37731, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 35731 - XSS Attack embedded in web based initial setup
XSS Attack embedded in web based initial setup
Status: RESOLVED WORKSFORME
Product: MediaWiki
Classification: Unclassified
Installer (Other open bugs)
1.18.x
All All
: Lowest normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-05 16:36 UTC by xnetsplork
Modified: 2013-10-23 23:49 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
The form as I saw it (107.55 KB, image/png)
2012-04-05 16:36 UTC, xnetsplork 		Details
Add an attachment (proposed patch, testcase, etc.)

Description xnetsplork 2012-04-05 16:36:05 UTC 
Created attachment 10383 [details]
The form as I saw it

Replicated four times on completely fresh servers with source grabbed from mediawiki.org.

Using the web based setup to generate the initial LocalSettings.php for the first time causes a phishing popup to appear using amazon CSS, images, and scripts.

I've attached a screenshot and if requested can attach the source I have visible. The page imports an iframe for the form that refers to a page only visible from the client that spawned the popup, in my case: http://ec2-75-101-235-219.compute-1.amazonaws.com:8000/qwopumeuvqopmgutpcypsvjcyzqklwmp.php

It will only spawn the first time someone attempts to view the GUI, after which it behaves perfectly.

I've repeatedly scanned my computer to ensure that it wasn't locally based malware, and the behavior only appears with the circumstances I described.
Comment 1 Mark A. Hershberger 2012-04-05 18:44:54 UTC 
I don't see this at all.
Comment 2 Chad H. 2012-04-05 18:53:06 UTC 
I'm not sure why it was happening, but it was definitely happening and I asked him to file a bug.

He hosts his wiki(s) on AWS, which may be part of the culprit here.
Comment 3 Jarry1250 2012-04-05 19:03:56 UTC 
A rootkit installed somewhere or other?

http://www.cibcfcib.com/index.php?page=fraudulent-website-attempts-phishing
Comment 4 Joshua C. Lerner 2012-04-05 19:34:31 UTC 
(In reply to comment #3)
> A rootkit installed somewhere or other?
> 
> http://www.cibcfcib.com/index.php?page=fraudulent-website-attempts-phishing

I was just about to post the same thing - similar link:

http://www.alliantcreditunion.org/services/security/fraudalerts/

Unable to reproduce the described behavior using AMI:

099720109477/ubuntu/images-testing/ebs/ubuntu-precise-daily-i386-server-20120401
Comment 5 Jesús Martínez Novo (Ciencia Al Poder) 2013-02-21 19:30:26 UTC 
1.18 is no longer supported, and there's no evidence of it coming from MediaWiki installation. It's most likely a malware infection on the client.
Comment 6 Chad H. 2013-02-21 20:21:42 UTC 
Well 1.18 has nothing to do with it, since we still use the same installer.

But the fact that nobody could replicate probably makes it a WORKSFORME.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links