https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
Web browser: ---
Bug ID: 52746
Summary: XSS in MediaWiki API (through invalid property name)
reintroduced in 1.21.1
Product: Wikimedia
Version: wmf-deployment
Hardware: All
URL:
http://ossdepot.v-front.de/wiki/api%2Ephp?action=query
&meta=siteinfo&format=json&siprop=%3Cbody%20onload=ale
rt(document.cookie)%3E.shtml
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Unprioritized
Component: General/Unknown
Assignee: [email protected]
Reporter: [email protected]
Classification: Unclassified
Mobile Platform: ---
It looks like bug #28534 was re-introduced in MediaWiki 1.21.1.
Test URL:
http://ossdepot.v-front.de/wiki/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(document.cookie)%3E.shtml
(This is a fresh 1.21.1 installation).
This was detected by a security scan via scanmyserver.com and confirmed by
their support.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
