Last modified: 2013-07-25 07:07:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T53801, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 51801 - Upload Wizard exploitable with evil filenames
Upload Wizard exploitable with evil filenames
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
UploadWizard (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Rainer Rillke @commons.wikimedia
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-22 10:53 UTC by Rainer Rillke @commons.wikimedia
Modified: 2013-07-25 07:07 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Rainer Rillke @commons.wikimedia 2013-07-22 10:53:19 UTC 
Linux is very permissive with its file names (compared to Windows). I was able to create a file with the following name:
<a onmouseover="alert('XSS')">abc</a>test.png

Then I uploaded this file and when hovering the title, an XSS alert is shown.
Comment 1 Rainer Rillke @commons.wikimedia 2013-07-22 10:53:59 UTC 
(js-client exploitable)
Comment 2 Gerrit Notification Bot 2013-07-22 11:08:43 UTC 
Change 75090 had a related patch set uploaded by Rillke:
Filename: Using text instead of HTML to avoid exploitable

https://gerrit.wikimedia.org/r/75090
Comment 3 Gerrit Notification Bot 2013-07-22 12:09:00 UTC 
Change 75090 merged by jenkins-bot:
Filename: Using text instead of HTML to avoid exploitable

https://gerrit.wikimedia.org/r/75090
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links