https://bugzilla.wikimedia.org/show_bug.cgi?id=24199
Summary: DynamicPageList2 has security issues
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: Normal
Component: DynamicPageList2
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: bawolff...@gmail.com
I fixed some XSS vulnerabilities in r68811 - However I still feel there are
problems with this extension.
*The playing with $wgRawHtml - this in itself is not a security vulnerability,
but makes it easy to give yourself problems. before r68811 the following:
<DPL>
category = Africa
count= 2
resultsfooter=<html><script>alert('d')</script></html>
</DPL>
Did bad things because resultsfooter was interpreted as if $wgRawHtml was on. I
think I got most of those types of issues in r68811, but I am not really
familiar with the extension's options at all, so its quite likely i missed
something (esp for the find and replace options).
**The approach of using wiki-syntax mixed with <html> sections seems like a bad
idea. It seems as if it'd be better to use either wiki-syntax only or html only
then you wouldn't have to worry about escaping for both ways (but thats just my
opinion after reading the code for 10 minutes, perhaps there is valid reason to
do that)...
*The ordercollation option does not seem to be escaped when put in the sql...
This is just after a brief scan through the code when trying to fix Bug 22675 -
I wouldn't be surprised if there are other issues.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
