Last modified: 2013-02-05 16:58:39 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T46618, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 44618 - http://bots.wmflabs.org cross site scripting


Summary:	http://bots.wmflabs.org cross site scripting

Status:	RESOLVED FIXED

Product:	Wikimedia Labs
Classification:	Unclassified
Component:	bots (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	High major
Target Milestone:	---
Assigned To:	Peter Bena

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-02-03 13:39 UTC by Sony
Modified:	2013-02-05 16:58 UTC (History)
CC List:	10 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
xss (82.77 KB, image/jpeg) 2013-02-03 13:39 UTC, Sony	Details
Add an attachment (proposed patch, testcase, etc.)

Description Sony 2013-02-03 13:39:17 UTC

Created attachment 11720 [details]
xss

xss in url.

test on mozilla firefox browser.

http://bots.wmflabs.org/~wm-bot/searchlog/index.php?action=search&channel=%27;alert%28String.fromCharCode%2888,83,83%29%29//%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E%23%23thinewiki

Comment 1 Alex Monk 2013-02-03 14:38:03 UTC

Comment 2 Chris Steipp 2013-02-04 17:07:57 UTC

Confirmed. Html is being written directly into the text context.

(simplified exploit url)
http://bots.wmflabs.org/~wm-bot/searchlog/index.php?action=search&channel=<SCRIPT>alert(1)</SCRIP>

The exploitability is limited since this is on the wmflabs.org domain, so an attacker cannot use it to attack other wmf sites directly, but we'll get it fixed up soon.

Ryan, do you know who manages the web interface on the bots project?

Comment 3 Ryan Lane 2013-02-04 17:09:29 UTC

wm-bot is run by Petr, who is assigned on the bug.

Comment 4 Peter Bena 2013-02-05 09:12:48 UTC

source code of this is located at:

git@github.com:benapetr/wikimedia-botslogs.git


anyway I will fix that

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links