Last modified: 2013-04-16 06:09:13 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T49251, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 47251 - XXE in Import and RSS Extension
XXE in Import and RSS Extension
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Export/Import (Other open bugs)
unspecified
All All
: Unprioritized major (vote)
: 1.20.x release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-15 15:54 UTC by Chris Steipp
Modified: 2013-04-16 06:09 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2013-04-15 15:54:00 UTC 
Similar to the issue in bug 46859, both the article import feature, and the RSS Extension parse user-supplied XML, without disabling external entities.

During import, the external entity is expanded (can trigger an http get, or could execute an expect:// handler), but the output is not shown (the parsing encounters and unexpected "mediawiki" element, and fails), so confidentiality of local files is not compromised.

While displaying an RSS feed with the RSS Extension, entities are expanded, and can be displayed to the user. A malicious RSS could compromise the confidentiality of local files, in addition to triggering http gets or executing expect:// handlers.
Comment 1 Gerrit Notification Bot 2013-04-15 20:53:00 UTC 
Related URL: https://gerrit.wikimedia.org/r/59202 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Comment 2 Gerrit Notification Bot 2013-04-15 22:47:40 UTC 
Related URL: https://gerrit.wikimedia.org/r/59342 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Comment 3 Gerrit Notification Bot 2013-04-15 23:12:15 UTC 
Related URL: https://gerrit.wikimedia.org/r/59349 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Comment 4 Gerrit Notification Bot 2013-04-15 23:28:26 UTC 
Related URL: https://gerrit.wikimedia.org/r/59357 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Comment 5 Gerrit Notification Bot 2013-04-16 06:09:13 UTC 
Related URL: https://gerrit.wikimedia.org/r/59377 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links