[Bug 30598] New: XSS vulnerability in Interwiki extension

bugzilla-daemon Sat, 27 Aug 2011 18:42:53 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=30598


       Web browser: ---
             Bug #: 30598
           Summary: XSS vulnerability in Interwiki extension
           Product: MediaWiki extensions
           Version: any
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: Unprioritized
         Component: Interwiki (extension)
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified


I guess the URL field in the Interwiki extension's log isn't sanitized before
being output? If you put in "hello<b>", it gets through without a problem. This
appears to be an XSS vulnerability, even if the extension is generally limited
to more advanced user groups. Observed at
<http://test.emufarmers.com/wiki/Special:Log/interwiki>.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 30598] New: XSS vulnerability in Interwiki extension

Reply via email to