Last modified: 2014-08-14 16:31:15 UTC
Reported by Nicolas Grégoire. We already set nosniff, so Chrome/Opera shouldn't be affected. But it probably makes sense to prepend our jsonp with /**/ like rails did https://github.com/rails/rails/pull/16109/files. >>>> Hello, it seems that the "api.php" file included in MediaWiki is vulnerable to a JSONP injection (CVE-2014-4671), which can be abused to bypass the Same Origin Policy in Flash. More details on the underlying bug: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ Proofs of concept: http://www.mediawiki.org/w/api.php?action=query&format=json&callback=pwned https://en.wikipedia.org/w/api.php?action=query&format=json&callback=pwned As far as I know, several people are already aware of this MediaWiki vulnerability. Regards, Nicolas Grégoire
Created attachment 15960 [details] Patch > As far as I know, several people are already aware of this MediaWiki > vulnerability. Nice of any of them to tell us. At least Nicolas was thoughtful.
Created attachment 15961 [details] Prepend jsonp callback with comment I did the same patch, so I think we're on the same page. I just made a shorter comment, and added a unit test.
21:02 csteipp: deployed fix for bug68187
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
Created attachment 16079 [details] Backport to REL1_22 This is the backport to REL1_22 branch. Tested the prepend in my local instance, works. If someone could verify, this would be great!
Created attachment 16080 [details] Backport to REL1_19 This is the backport to REL1_19 branch. Tested the prepend in my local instance, works. If someone could verify, this would be great!
Patch works with REL1_23. Tested the prepend in my local instance, works.
Adding early access for Wikia and Debian
Backports all seem to work fine. +2.
Moved to product MediaWiki as the fix is published now.
I see this was merged a while back, so closing.
This was assigned CVE-2014-5241