Last modified: 2014-11-14 19:59:52 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T40150, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 38150 - XSS via 'form_name' parameter on Semantic Forms's Special:CreateForm page
XSS via 'form_name' parameter on Semantic Forms's Special:CreateForm page
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
SemanticForms (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Yaron Koren
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-03 18:07 UTC by Reed Loden
Modified: 2014-11-14 19:59 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Use Html::input instead of writing string directly. (840 bytes, patch)
2012-07-03 20:28 UTC, Chris Steipp 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Reed Loden 2012-07-03 18:07:20 UTC 
There's an XSS issue on Semantic MediaWiki's Special:CreateForm page in the 'form_name' parameter.

Example XSS value: ""><script>alert("3")</script>

Video example: http://youtu.be/c1QkVOUEjMQ
Screenshot: http://i1256.photobucket.com/albums/ii488/testfortest/123/ww.png?t=1338819700

This issue was reported to Mozilla by Sony <insecurity.ro@gmail.com>.

Mozilla is tracking this as https://bugzilla.mozilla.org/show_bug.cgi?id=761114.
Comment 1 Chris Steipp 2012-07-03 20:28:15 UTC 
Created attachment 10820 [details]
Use Html::input instead of writing string directly.

Confirmed in 2.4.2. Patch attached.
Comment 2 Yaron Koren 2012-07-06 01:32:50 UTC 
I checked in the change - thanks for the patch. Hopefully this was the last bit of hardcoded HTML in the Semantic Forms code...
Comment 3 Reed Loden 2012-07-06 22:21:53 UTC 
Where can I get an updated copy of Semantic Forms that includes this fix?
Comment 4 Yaron Koren 2012-07-06 22:24:19 UTC 
It's available already via Git - there's not yet a new downloadable version with the fix. That will hopefully come out soon-ish.
Comment 5 Chris Steipp 2012-07-06 22:58:40 UTC 
Yaron, I pull it from svn just now (following the link on http://www.mediawiki.org/wiki/Extension:Semantic_Forms/Download_and_installation), and svn does *not* have the fix yet. Which git repo is it in?
Comment 7 Yaron Koren 2012-07-06 23:17:22 UTC 
Oh, yeah - all the documentation still needs to be change from SVN to Git.
Comment 8 Chris Steipp 2012-07-09 18:54:42 UTC 
Thanks for updating the git link. It looks like the zip files have not been updated:

http://discoursedb.org/SemanticForms/semantic_forms_2.4.2.tar.gz
http://discoursedb.org/SemanticForms/semantic_forms_2.4.2.zip

And the google project for the bundle also has the old version of the files:

https://code.google.com/p/semantic-mediawiki-bundle/

Yaron, can you handle those as well?
Comment 9 Yaron Koren 2012-07-09 19:19:07 UTC 
No, indeed, those haven't been updated yet - that will happen when there's a new version of Semantic Forms and Semantic Bundle, respectively.
Comment 10 Brandon Burton 2012-09-01 03:02:23 UTC 
When is a new version expected to be released?
Comment 11 Yaron Koren 2012-09-01 03:05:39 UTC 
Hi - it was released yesterday. :)
Comment 12 Brandon Burton 2012-09-01 03:07:40 UTC 
(In reply to comment #11)
> Hi - it was released yesterday. :)

Awesome, do you know how long it should take for https://code.google.com/p/semantic-mediawiki-bundle/downloads/list to be updated?

Cheers
Comment 13 Yaron Koren 2012-09-01 03:15:53 UTC 
That one could be a while, unfortunately - maybe a month or two.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links