Bug#696179: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
cve-ass...@mitre.org dixit: See http://bugs.debian.org/696179 for details. Use CVE-2012-6453. Ok, thanks! Forwarding to all parties: this is DSA-2596-1 for mediawiki-extensions. bye, //mirabilos -- I want one of these. They cost 720 € though… good they don’t have the HD hole, which indicates 3½″ floppies with double capacity… still. A tad too much, atm. ‣ http://www.floppytable.com/floppytable-images-1.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696179: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
Dixi quod… Of course, this will not work on the message body. I’ll look at Ok, it’s worse than I expected: when using “text” mode with desc=on, the body is also vulnerable but on the other hand, proper HTML is broken: ‣ pWill drive to a href=#34;http://www.google.com/webhp?hl=laamp;q=Chemnitzer+Linuxtage#34;Chemnitz/a the MW sanitiser later. Lunchbreak, then that, I guess. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696179: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
On Mon, 17 Dec 2012, Jonathan Wiltshire wrote: At a quick glance this appears to affect upstream Can you confirm this Yes, it does. have you sought out a CVE number? No, I’ve got no idea how all this CVE stuff works. Do you volunteer, or one of the Mediawiki guys lurking here? Otherwise I’d just open an entry in the MW bugtracker now, if extensions are tracked there, that is. The window of opportunity is small but the impact could be significant (drive-by downloads, session theft, XSS etc). Actually, it’s not small. I’ve got Planet Debian in a test project, both as Codendi Widget on the Group Summary page of FusionForge and on a Wiki page demonstrating this extension. I got invalid XHTML on both. I then added a test feed – http://www.mirbsd.org/tag_event.rss hand-edited to add a check for this vulnerability, will *not* stay having this content – to a new page and got a Javascript popup in the Wiki, none (but still an xmlstarlet error on yurt/) on the Forge. Planet Debian is somewhat trusted but has hundreds of feeds it aggregates. The situation elsewhere could be much worse, therefore I believe the impact is not low. I’ve got no idea what other feeds people have on their sites. And _then_ most feeds are served using http not https… (in fact, I haven’t even tried https myself… why?) MITM fun, especially when the Wiki is then served using https, to a browser that may have been configured to trust https more than http. I guess stealing Mediawiki credentials is even easy with it. I bet joeyh is amusing himself that the Yurt is good for something even after its dismantling ☺ bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#696179: [Pkg-mediawiki-devel] Bug#696179: mediawiki-extensions-base: RSS_Reader Javascript injection
On Mon, 17 Dec 2012, Platonides wrote: http://www.mediawiki.org/wiki/Extension:RSS_Reader seems to live exclusively at the wiki page, instead of being at a repository. […] Just edit the page when fixing the bug. Oh, okay. I just did so. On Mon, 17 Dec 2012, Jonathan Wiltshire wrote: (for those following at home: Debian can only issue CVEs for non-public issues AIUI, which is why it's a shame you didn't bring them into the loop before opening a bug.) Oh, I didn’t know that. I’ve got about zero experience dealing with security issues. This might show. I’ll listen and learn ☺ (Why? I mean, I’d make all issues public immediately, no?) Ok, what I really meant was that you'd have to know someone is using Mediawiki to read your feed, which is probably feasible but I can't imagine there are thousands of people doing so. We don't really know either way, we should probably play it cautious. Hrm. tg@eurynome:~ $ fgrep tag_event.rss /var/www/logs/access_log […] fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:16:08:25 +] -:-:IPv4www.mirbsd.org GET /tag_event.rss HTTP/1.0 200 66185 - - fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:17:07:49 +] -:-:IPv4www.mirbsd.org GET /tag_event.rss HTTP/1.1 200 66185 http://www.mirbsd.org/tag_event.rss; SimplePie/1.1.3 (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20081219 SimplePie is used by FusionForge (that’s the thing which actually does strip script but not yurt or /yurt; maybe I should clone the bug, with lower severity, against it to ask they should validate that titles don’t contain HTML?), and the other is probably Mediawiki (there’s only a third UA in my access_log, and that’s Google’s feed fetcher, so it has to be this one, and the IPv4 matches). So when you get requests without a referer or UA, which are *not* periodic, from some site, you can assume with a not-low chance that it’s Mediawiki. (Feeds are read upon first access and then cached for a while.) bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org