Last modified: 2014-08-14 16:31:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T70187, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 68187 - Mitigate CVE-2014-4671 (jsonp flash)
Mitigate CVE-2014-4671 (jsonp flash)
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.24rc
All All
: Unprioritized normal (vote)
: 1.24.0 release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-17 20:14 UTC by Chris Steipp
Modified: 2014-08-14 16:31 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Patch (1.05 KB, patch)
2014-07-17 20:28 UTC, Brad Jorsch 		Details
Prepend jsonp callback with comment (1.83 KB, patch)
2014-07-17 20:53 UTC, Chris Steipp 		Details
Backport to REL1_22 (1.04 KB, patch)
2014-07-29 09:42 UTC, Markus Glaser 		Details
Backport to REL1_19 (996 bytes, patch)
2014-07-29 09:43 UTC, Markus Glaser 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2014-07-17 20:14:18 UTC 
Reported by Nicolas Grégoire.

We already set nosniff, so Chrome/Opera shouldn't be affected. But it probably makes sense to prepend our jsonp with /**/ like rails did https://github.com/rails/rails/pull/16109/files.


>>>>

Hello,

it seems that the "api.php" file included in MediaWiki is vulnerable to
a JSONP injection (CVE-2014-4671), which can be abused to bypass the
Same Origin Policy in Flash.

More details on the underlying bug:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Proofs of concept:
http://www.mediawiki.org/w/api.php?action=query&format=json&callback=pwned
https://en.wikipedia.org/w/api.php?action=query&format=json&callback=pwned

As far as I know, several people are already aware of this MediaWiki
vulnerability.

Regards,
Nicolas Grégoire
Comment 1 Brad Jorsch 2014-07-17 20:28:07 UTC 
Created attachment 15960 [details]
Patch

> As far as I know, several people are already aware of this MediaWiki
> vulnerability.

Nice of any of them to tell us. At least Nicolas was thoughtful.
Comment 2 Chris Steipp 2014-07-17 20:53:15 UTC 
Created attachment 15961 [details]
Prepend jsonp callback with comment

I did the same patch, so I think we're on the same page. I just made a shorter comment, and added a unit test.
Comment 3 Chris Steipp 2014-07-17 21:04:11 UTC 
21:02 csteipp: deployed fix for bug68187
Comment 5 Markus Glaser 2014-07-29 09:42:39 UTC 
Created attachment 16079 [details]
Backport to REL1_22

This is the backport to REL1_22 branch. Tested the prepend in my local instance, works. If someone could verify, this would be great!
Comment 6 Markus Glaser 2014-07-29 09:43:56 UTC 
Created attachment 16080 [details]
Backport to REL1_19

This is the backport to REL1_19 branch. Tested the prepend in my local instance, works. If someone could verify, this would be great!
Comment 7 Markus Glaser 2014-07-29 09:45:09 UTC 
Patch works with REL1_23. Tested the prepend in my local instance, works.
Comment 8 Chris Steipp 2014-07-29 16:43:48 UTC 
Adding early access for Wikia and Debian
Comment 9 Chris Steipp 2014-07-30 00:26:50 UTC 
Backports all seem to work fine. +2.
Comment 10 Markus Glaser 2014-07-31 14:44:28 UTC 
Moved to product MediaWiki as the fix is published now.
Comment 11 Brad Jorsch 2014-08-08 10:30:43 UTC 
I see this was merged a while back, so closing.
Comment 12 Chris Steipp 2014-08-14 16:31:15 UTC 
This was assigned CVE-2014-5241
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links