Last modified: 2014-06-09 06:18:05 UTC
Users can insert any HTML into LQT thread subject and it will appear unescaped in the page history.
Created attachment 13162 [details] Escape thread subject on history page
Confirmed the issue, and fix. We'll deploy that and add a note about this in the 1.21.2 release.
Looks like it got deployed: <logmsgbot> !log csteipp synchronized php-1.22wmf14/extensions/LiquidThreads 'Fix bug53320' <logmsgbot> !log csteipp synchronized php-1.22wmf13/extensions/LiquidThreads 'Fix bug53320' CCing Werdna, who wrote this code in r58000.
Are there fixes for older MW/LQT-Versions available too? Could someone please give detailed information which versions are fixed and which not? The main extension page of LQT is some how missleading to see whats done in the different branches.
The patch was only in master initially, but I just added patches for REL1_19, 20, and 21. Maybe someone can test and merge them?
Does this mean LQT 2.x and 3.x?
(In reply to comment #6) > Does this mean LQT 2.x and 3.x? I am not aware of any existing codebase called "LiquidThreads 3.x" so this applies to 2.x.
This was assigned CVE-2013-4308
(In reply to comment #7) > (In reply to comment #6) > > Does this mean LQT 2.x and 3.x? > > I am not aware of any existing codebase called "LiquidThreads 3.x" so this > applies to 2.x. Correct, the vulnerability was in the 2.x branch, which I think is the only reasonably support version of lqt. It may exist in 3.x, but since that code is pretty much abandoned, I don't think it's been checked.