”>’>","the attacker could run javascript on the victim's account right after the authentication process.","POC Steps:","1 - Open the url http://wikipedia.ramselehof.de/wawewewi.php?project=","2 - send a javascript payload after the equals sign, and then the alert will fire
\n(\">”>’>)","Details","Risk Rating ","Niedrig ","Author Affiliation ","Other (Please specify in description) ","Event Timeline","Schanz111 created this task.Aug 31 2021, 4:26 AM2021-08-31 04:26:01 (UTC+0)","Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 31 2021, 4:26 AM2021-08-31 04:26:03 (UTC+0)","Aklapper renamed this task from XSS Wikipedia to XSS on http://wikipedia.ramselehof.de/wawewewi.php.Aug 31 2021, 6:43 AM2021-08-31 06:43:26 (UTC+0)","Aklapper added a project: Vuln-XSS.","Aklapper added a subscriber: Flominator.","Comment Actions","Hi @Schanz111, thanks a lot for taking the time to report this!
\nI'm subscribing @Flominator who seems to run http://wikipedia.ramselehof.de/ but I'm not sure how active Flominator is these days.","Reedy edited projects, added SecTeam-Processed; removed Security-Team.Aug 31 2021, 1:29 PM2021-08-31 13:29:32 (UTC+0)","sbassett subscribed.Aug 31 2021, 2:52 PM2021-08-31 14:52:33 (UTC+0)","Just to be clear - this isn't hosted on Wikimedia production infrastructure (\"Wikipedia server\").","Schanz111 added a comment.Aug 31 2021, 3:22 PM2021-08-31 15:22:43 (UTC+0)","Doesn't it belong to your domain? could at least see if it is possible to fix the vulnerability","Aklapper added a comment.Aug 31 2021, 3:57 PM2021-08-31 15:57:47 (UTC+0)","Hi, we (as in Wikimedia Foundation or affiliates) do not own the domain ","ramselehof.de",". The domain is owned by ","@Flominator"," who is subscribed to this task.","Aklapper added a comment.Oct 12 2021, 6:57 AM2021-10-12 06:57:21 (UTC+0)","I pinged the maintainer in https://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion%3AFlominator&type=revision&diff=216304162&oldid=215884749","Flominator added a comment.Nov 28 2021, 10:15 AM2021-11-28 10:15:17 (UTC+0)","Is there an easy way to fix this? I think I had a snipped somewhere, but I don't find it at the moment.","Aklapper added a comment.Nov 28 2021, 5:59 PM2021-11-28 17:59:48 (UTC+0)","https://www.mediawiki.org/wiki/Security_for_developers#Cross-site_scripting_(XSS) might provide some hints","sbassett added a comment.Nov 29 2021, 5:43 PM2021-11-29 17:43:56 (UTC+0)","In T290048#7532339, @Flominator wrote:","Is this the actual code base: https://github.com/FlominatorTM/wikipedia_wbw ?","If so, it looks like there are at least a few places where the ","$project"," variable is vulnerable to XSS:","https://github.com/FlominatorTM/wikipedia_wbw/blob/master/wawewewi.php#L90-L97","https://github.com/FlominatorTM/wikipedia_wbw/blob/master/wawewewi.php#L366","At the very least, you'd likely want to sanitize those variables before they are sent to the browser by passing them to ","htmlspecialchars"," or similar, likely with the ","ENT_QUOTES"," flag enabled.","I'd also note that any other variables which are eventually sent to the browser that are derived from user data (e.g. from ","_GET",", ","_POST","_REQUEST","_COOKIE",", etc.) should be sanitized in a similar fashion.","Flominator closed this task as Resolved.Edited · Jan 1 2022, 10:24 AM2022-01-01 10:24:46 (UTC+0)","Flominator claimed this task.","Thanks for the explanation. I think it's fixed now:
\nhttps://github.com/FlominatorTM/wikipedia_wbw/commit/105ad5a7dd64db0e7a063b34be2fd70352b6a6d0","sbassett triaged this task as Low priority.Jan 4 2022, 3:52 PM2022-01-04 15:52:05 (UTC+0)","sbassett changed the visibility from \"Custom Policy\" to \"Public (No Login Required)\".","sbassett changed the edit policy from \"Custom Policy\" to \"All Users\".","sbassett changed Risk Rating from N/A to Low.","Schanz111 added a comment.Mar 4 2022, 12:40 PM2022-03-04 12:40:37 (UTC+0)","Hello gentlemen, I am very happy that you have patched the vulnerability, I would like to know if it would be possible to rename it to some Wikipedia cybersecurity Hall of Fame","sbassett added a comment.Edited · Mar 4 2022, 4:01 PM2022-03-04 16:01:53 (UTC+0)","In T290048#7752854, @Schanz111 wrote:","As previously mentioned, since the affected code and website have nothing to do with Wikipedia or the Wikimedia Foundation, these vulnerabilities would not be eligible for the Wikimedia security hall of fame. I would suggest reaching out to the github code owner (@Flominator, FlominatorTM) and inquire as to whether they could credit you within an upcoming security release of the unaffiliated wikipedia_wbw application.","Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits"]}
Page MenuHomePhabricator
Create Task
Maniphest T290048

XSS on http://wikipedia.ramselehof.de/wawewewi.php
Closed, ResolvedPublicSecurity
Actions

Description

Greetings, I found an XSS on one of the Wikipedia server endpoints.

http://wikipedia.ramselehof.de/wawewewi.php?project=2"></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

the attacker could run javascript on the victim's account right after the authentication process.

POC Steps:

1 - Open the url http://wikipedia.ramselehof.de/wawewewi.php?project=

2 - send a javascript payload after the equals sign, and then the alert will fire
("></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>)

Details

Risk Rating
Niedrig
Author Affiliation
Other (Please specify in description)

Event Timeline

Schanz111 created this task.Aug 31 2021, 4:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 31 2021, 4:26 AM
Aklapper renamed this task from XSS Wikipedia to XSS on http://wikipedia.ramselehof.de/wawewewi.php.Aug 31 2021, 6:43 AM
Aklapper added a project: Vuln-XSS.
Aklapper added a subscriber: Flominator.

Hi @Schanz111, thanks a lot for taking the time to report this!
I'm subscribing @Flominator who seems to run http://wikipedia.ramselehof.de/ but I'm not sure how active Flominator is these days.

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Aug 31 2021, 1:29 PM
sbassett subscribed.Aug 31 2021, 2:52 PM

Just to be clear - this isn't hosted on Wikimedia production infrastructure ("Wikipedia server").

Schanz111 added a comment.Aug 31 2021, 3:22 PM

Doesn't it belong to your domain? could at least see if it is possible to fix the vulnerability

Aklapper added a comment.Aug 31 2021, 3:57 PM

Hi, we (as in Wikimedia Foundation or affiliates) do not own the domain ramselehof.de. The domain is owned by @Flominator who is subscribed to this task.

Aklapper added a comment.Oct 12 2021, 6:57 AM

I pinged the maintainer in https://de.wikipedia.org/w/index.php?title=Benutzer_Diskussion%3AFlominator&type=revision&diff=216304162&oldid=215884749

Flominator added a comment.Nov 28 2021, 10:15 AM

Is there an easy way to fix this? I think I had a snipped somewhere, but I don't find it at the moment.

Aklapper added a comment.Nov 28 2021, 5:59 PM

https://www.mediawiki.org/wiki/Security_for_developers#Cross-site_scripting_(XSS) might provide some hints

sbassett added a comment.Nov 29 2021, 5:43 PM
In T290048#7532339, @Flominator wrote:

Is there an easy way to fix this? I think I had a snipped somewhere, but I don't find it at the moment.

Is this the actual code base: https://github.com/FlominatorTM/wikipedia_wbw ?

If so, it looks like there are at least a few places where the $project variable is vulnerable to XSS:

  1. https://github.com/FlominatorTM/wikipedia_wbw/blob/master/wawewewi.php#L90-L97
  2. https://github.com/FlominatorTM/wikipedia_wbw/blob/master/wawewewi.php#L366

At the very least, you'd likely want to sanitize those variables before they are sent to the browser by passing them to htmlspecialchars or similar, likely with the ENT_QUOTES flag enabled.

I'd also note that any other variables which are eventually sent to the browser that are derived from user data (e.g. from _GET, _POST, _REQUEST, _COOKIE, etc.) should be sanitized in a similar fashion.

Flominator closed this task as Resolved.EditedJan 1 2022, 10:24 AM
Flominator claimed this task.

Thanks for the explanation. I think it's fixed now:
https://github.com/FlominatorTM/wikipedia_wbw/commit/105ad5a7dd64db0e7a063b34be2fd70352b6a6d0

sbassett triaged this task as Low priority.Jan 4 2022, 3:52 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Schanz111 added a comment.Mar 4 2022, 12:40 PM

Hello gentlemen, I am very happy that you have patched the vulnerability, I would like to know if it would be possible to rename it to some Wikipedia cybersecurity Hall of Fame

sbassett added a comment.EditedMar 4 2022, 4:01 PM
In T290048#7752854, @Schanz111 wrote:

Hello gentlemen, I am very happy that you have patched the vulnerability, I would like to know if it would be possible to rename it to some Wikipedia cybersecurity Hall of Fame

As previously mentioned, since the affected code and website have nothing to do with Wikipedia or the Wikimedia Foundation, these vulnerabilities would not be eligible for the Wikimedia security hall of fame. I would suggest reaching out to the github code owner (@Flominator, FlominatorTM) and inquire as to whether they could credit you within an upcoming security release of the unaffiliated wikipedia_wbw application.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits