On Mon, 17 Dec 2012, Jonathan Wiltshire wrote: > At a quick glance this appears to affect upstream > Can you confirm this
Yes, it does. > have you sought out a CVE > number? No, I’ve got no idea how all this CVE stuff works. Do you volunteer, or one of the Mediawiki guys lurking here? Otherwise I’d just open an entry in the MW bugtracker now, if extensions are tracked there, that is. > The window of opportunity is small but the impact could be significant > (drive-by downloads, session theft, XSS etc). Actually, it’s not small. I’ve got Planet Debian in a test project, both as Codendi Widget on the Group Summary page of FusionForge and on a Wiki page demonstrating this extension. I got invalid XHTML on both. I then added a test feed – http://www.mirbsd.org/tag_event.rss hand-edited to add a check for this vulnerability, will *not* stay having this content – to a new page and got a Javascript popup in the Wiki, none (but still an xmlstarlet error on <yurt/>) on the Forge. Planet Debian is somewhat trusted but has hundreds of feeds it aggregates. The situation elsewhere could be much worse, therefore I believe the impact is not low. I’ve got no idea what other feeds people have on their sites. And _then_ most feeds are served using http not https… (in fact, I haven’t even tried https myself… why?) MITM fun, especially when the Wiki is then served using https, to a browser that may have been configured to trust https more than http. I guess stealing Mediawiki credentials is even easy with it. I bet joeyh is amusing himself that the Yurt is good for something even after its dismantling ☺ bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org