Last modified: 2013-09-05 17:00:44 UTC
It looks like bug #28534 was re-introduced in MediaWiki 1.21.1. Test URL: http://ossdepot.v-front.de/wiki/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(document.cookie)%3E.shtml (This is a fresh 1.21.1 installation). This was detected by a security scan via scanmyserver.com and confirmed by their support.
[Note to Security team: This Bugzilla ticket got filed under "MediaWiki" instead of "Security" product and hence is already known to the public, e.g. via http://article.gmane.org/gmane.org.wikimedia.mediawiki.bugs/359688 . Maybe also because http://www.mediawiki.org/wiki/Security does not mention Bugzilla? :-/ ]
I'm not sure if this is a regression, since that code hasn't changed much since Tim's patch for 28534. If you change the reported url to alert(1), as the issue was reported in 28524, instead of alert(document.cookie), you correctly get the IE redirect. I'm not sure if it was intentional in that patch or not, but it seems (to me) that findIE6Extension doesn't correctly detect the extension if there are an even number of . characters in the url, since $pos = $nextPos + 1; will walk past the second . character, and then not detect that there was a . followed by legal characters. If that wasn't intentional, then changing that to $pos = $nextPos; should fix the issue.
Created attachment 13095 [details] Patch with unit test Confirmed XSS on mediawiki.org in IE6. Skipping the character after a dot is definitely unintentional.
Thanks, I applied the patch to my installation, and the scanmyserver.com service does no longer detect this issue. (In reply to comment #3) > Created attachment 13095 [details] > Patch with unit test > > Confirmed XSS on mediawiki.org in IE6. Skipping the character after a dot is > definitely unintentional.
Change 82528 had a related patch set (by Tim Starling) published: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82528
Change 82528 merged by jenkins-bot: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82528
Change 82536 had a related patch set uploaded by CSteipp: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82536
Change 82538 had a related patch set uploaded by CSteipp: SECURITY: Sanitize ResourceLoader exception messages https://gerrit.wikimedia.org/r/82538
Change 82540 had a related patch set uploaded by CSteipp: SECURITY: Sanitize ResourceLoader exception messages https://gerrit.wikimedia.org/r/82540
Change 82542 had a related patch set uploaded by CSteipp: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82542
Change 82544 had a related patch set uploaded by CSteipp: SECURITY: Sanitize ResourceLoader exception messages https://gerrit.wikimedia.org/r/82544
Change 82546 had a related patch set uploaded by CSteipp: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82546
Change 82536 merged by CSteipp: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82536
Change 82540 merged by jenkins-bot: SECURITY: Sanitize ResourceLoader exception messages https://gerrit.wikimedia.org/r/82540
Change 82544 merged by jenkins-bot: SECURITY: Sanitize ResourceLoader exception messages https://gerrit.wikimedia.org/r/82544
Change 82538 merged by jenkins-bot: SECURITY: Sanitize ResourceLoader exception messages https://gerrit.wikimedia.org/r/82538
Change 82546 merged by jenkins-bot: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82546
Change 82542 merged by jenkins-bot: SECURITY: Fix extension detection with 2 .'s https://gerrit.wikimedia.org/r/82542
[restoring RESOLVED FIXED state which was set before the Gerrit Notification Bot inserted links to the Gerrit patchsets]
This issue was assigned CVE-2013-4303
