Difference between revisions of "MediaWiki"

From Nick Jenkins
Jump to: navigation, search
m
(add colour coding + Parser24 test)
Line 1: Line 1:
Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available].
+
Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available], although the [http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/wiki-mangleme.php version now in the MediaWiki trunk] is probably more current.
  
 
* [[:MediaZilla:5066|MediaWiki bug report]].
 
* [[:MediaZilla:5066|MediaWiki bug report]].
Line 10: Line 10:
 
! Validate HTML
 
! Validate HTML
 
! Tidy HTML
 
! Tidy HTML
! Security<br>aspects?<sup>1</sup>
+
! [[#Definition of Security Aspects|Security<br>aspects?]]
 
! Visible<br>Artefacts?
 
! Visible<br>Artefacts?
 
! Notes and any extra info.
 
! Notes and any extra info.
Line 116: Line 116:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser13}}
 
| {{tidy-html|page=MediaWiki/Parser13}}
| Yes.
+
| bgcolor=yellow | Yes.
 
| No.
 
| No.
 
| Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].
 
| Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].
Line 124: Line 124:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser14}}
 
| {{tidy-html|page=MediaWiki/Parser14}}
| Yes.
+
| bgcolor=yellow | Yes.
 
| Yes.
 
| Yes.
 
| TOC insertion
 
| TOC insertion
Line 132: Line 132:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser14-table}}
 
| {{tidy-html|page=MediaWiki/Parser14-table}}
| Yes.
+
| bgcolor=yellow | Yes.
 
| Yes.
 
| Yes.
 
| TOC insertion
 
| TOC insertion
Line 148: Line 148:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser16}}
 
| {{tidy-html|page=MediaWiki/Parser16}}
| Yes.
+
| bgcolor=yellow | Yes.
 
| No.
 
| No.
 
| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string].
 
| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string].
Line 188: Line 188:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser21}}
 
| {{tidy-html|page=MediaWiki/Parser21}}
| Yes.
+
| bgcolor=yellow | Yes.
 
| No.
 
| No.
 
|  
 
|  
Line 196: Line 196:
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator]
 
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator]
 
| {{tidy-html|page=MediaWiki/Parser22}}
 
| {{tidy-html|page=MediaWiki/Parser22}}
| Yes.
+
| bgcolor=yellow |Yes.
 
| No.
 
| No.
 
| Double links injection.
 
| Double links injection.
Line 207: Line 207:
 
| No.
 
| No.
 
| Pre allows malformed URI. Fails validation (unlike nowiki).
 
| Pre allows malformed URI. Fails validation (unlike nowiki).
 +
|-
 +
| [[MediaWiki/Parser24]]
 +
| [[Special:Export/MediaWiki/Parser24|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser24 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser24}}
 +
| bgcolor=red | Yes.
 +
| No.
 +
| Allows User-specified JavaScript Execution.
 
|}
 
|}
  
<br>
+
==Definition of Security Aspects==
<sup>1</sup>: For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:
+
 
 +
For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:
 
* ''&lt;p&gt;&lt;td&gt;&lt;s&gt;&lt;/p&gt;'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
 
* ''&lt;p&gt;&lt;td&gt;&lt;s&gt;&lt;/p&gt;'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
 
* ''<nowiki>&lt;a href="http://as&lt;td&gt;&lt;/td&gt;&lt;td class="external free"&gt;&lt;p&gt;user text here</nowiki>'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
 
* ''<nowiki>&lt;a href="http://as&lt;td&gt;&lt;/td&gt;&lt;td class="external free"&gt;&lt;p&gt;user text here</nowiki>'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
 
* A string missing the start of a tag would also be considered to have a security aspect - e.g. ''<nowiki>&lt;th&gt;|||||" class="external free" title="https://||||||" rel="nofollow"&gt;https://&lt;/th&gt;</nowiki>'' - because the ''&lt;a href="xxx'' part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.
 
* A string missing the start of a tag would also be considered to have a security aspect - e.g. ''<nowiki>&lt;th&gt;|||||" class="external free" title="https://||||||" rel="nofollow"&gt;https://&lt;/th&gt;</nowiki>'' - because the ''&lt;a href="xxx'' part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.
 
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.
 
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.

Revision as of 02:29, 23 May 2006

Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by fuzz testing of MediaWiki, using a modified PHP port of the Python port of mangleme. The source code is available, although the version now in the MediaWiki trunk is probably more current.


Test Wiki Source Validate HTML Tidy HTML Security
aspects?
Visible
Artefacts?
Notes and any extra info.
MediaWiki/Parser1 Export Wiki Source W3C Validator Tidy HTML No Yes Stikes out almost all text. Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5.
MediaWiki/Parser1-hidden Export Wiki Source W3C Validator Tidy HTML No Yes Hides almost all text, which also makes all page links unavailable.
MediaWiki/Parser2 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser3 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser4 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser5 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
MediaWiki/Parser6 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
MediaWiki/Parser7 Export Wiki Source W3C Validator Tidy HTML No No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser8 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser9 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser10 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser11 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects now fixed in 1.6, although still fails W3C Validation.
MediaWiki/Parser12 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects now fixed in 1.6, although still fails W3C Validation.
MediaWiki/Parser13 Export Wiki Source W3C Validator Tidy HTML Yes. No. Drops the '<a href="xxx' string. Explanation for this + Parser14 + Parser14-table.
MediaWiki/Parser14 Export Wiki Source W3C Validator Tidy HTML Yes. Yes. TOC insertion
MediaWiki/Parser14-table Export Wiki Source W3C Validator Tidy HTML Yes. Yes. TOC insertion
MediaWiki/Parser15 Export Wiki Source W3C Validator Tidy HTML No No. Generates Tidy error due to <caption> tags out of order. As of 1.6.1 just fails validation.
MediaWiki/Parser16 Export Wiki Source W3C Validator Tidy HTML Yes. No. Generates Tidy error due to <th> tags out of order. As of 1.6.1, now drops the '<a href="xxx' string.
MediaWiki/Parser17 Export Wiki Source W3C Validator Tidy HTML Yes. No. No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser18 Export Wiki Source W3C Validator Tidy HTML Yes. No. No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser19 Export Wiki Source W3C Validator Tidy HTML Yes. No. No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser20 Export Wiki Source W3C Validator Tidy HTML No No. Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the
links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
MediaWiki/Parser21 Export Wiki Source W3C Validator Tidy HTML Yes. No.
MediaWiki/Parser22 Export Wiki Source W3C Validator Tidy HTML Yes. No. Double links injection.
MediaWiki/Parser23 Export Wiki Source W3C Validator Tidy HTML No. No. Pre allows malformed URI. Fails validation (unlike nowiki).
MediaWiki/Parser24 Export Wiki Source W3C Validator Tidy HTML Yes. No. Allows User-specified JavaScript Execution.

Definition of Security Aspects

For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:

  • <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
  • <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
  • A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.

So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.