Closed Bug 839899 Opened 9 years ago Closed 9 years ago

mediaWiki.user.options.set

Categories

(Websites :: wiki.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: sashoaaaa, Unassigned)

Details

(Whiteboard: [site:wiki.mozilla.org])

Well I'm having access to the mediaWiki.user.option.set .
I just tried to find some xss vulnarablities with this vector https://wiki.mozilla.org/load.php?debug=false&lang=en&modules="><script>alert(/a/)</script>&only=scripts . . And i saw I have access to mediaWiki.user.options.set .
So I tried the following 
https://wiki.mozilla.org/load.php?debug=false&lang=en&modules=user.options&only=scripts
And Here is what I'm getting 

"mediaWiki.user.options.set({"ccmeonemails":0,"cols":80,"contextchars":50,"contextlines":5,"date":"default","diffonly":0,"disablemail":0,"disablesuggest":0,"editfont":"default","editondblclick":0,"editsection":1,"editsectiononrightclick":0,"enotifminoredits":0,"enotifrevealaddr":0,"enotifusertalkpages":1,"enotifwatchlistpages":0,"extendwatchlist":0,"externaldiff":0,"externaleditor":0,"fancysig":0,"forceeditsummary":0,"gender":"unknown","hideminor":0,"hidepatrolled":0,"highlightbroken":1,"imagesize":2,"justify":0,"math":1,"minordefault":0,"newpageshidepatrolled":0,"nocache":0,"noconvertlink":0,"norollbackdiff":0,"numberheadings":0,"previewonfirst":0,"previewontop":1,"quickbar":1,"rcdays":7,"rclimit":50,"rememberpassword":0,"rows":25,"searchlimit":20,"showhiddencats":0,"showjumplinks":1,"shownumberswatching":1,"showtoc":1,"showtoolbar":1,"skin":"gmo","stubthreshold":0,"thumbsize":2,"underline":2,"uselivepreview":0,"usenewrc":0,"watchcreations":0,"watchdefault":0,"watchdeletion":0,
"watchlistdays":3,"watchlisthideanons":0,"watchlisthidebots":0,"watchlisthideliu":0,"watchlisthideminor":0,"watchlisthideown":0,"watchlisthidepatrolled":0,"watchmoves":0,"wllimit":250,"riched_use_toggle":1,"riched_start_disabled":1,"riched_use_popup":1,"riched_toggle_remember_state":1,"swl_email":true,"swl_watchlisttoplink":true,"variant":"en","language":"en","searchNs0":true,"searchNs1":false,"searchNs2":false,"searchNs3":false,"searchNs4":false,"searchNs5":false,"searchNs6":false,"searchNs7":false,"searchNs8":false,"searchNs9":true,"searchNs10":false,"searchNs11":true,"searchNs12":false,"searchNs13":false,"searchNs14":false,"searchNs15":false,"searchNs100":true,"searchNs101":true,"searchNs102":true,"searchNs103":true,"searchNs104":true,"searchNs105":true,"searchNs106":true,"searchNs107":true,"searchNs108":true,"searchNs109":true,"searchNs110":true,"searchNs111":true,"searchNs112":true,"searchNs113":true,"searchNs114":true,"searchNs115":true,"searchNs116":true,"searchNs117":true,
"searchNs118":true,"searchNs119":true,"searchNs120":true,"searchNs121":true,"searchNs122":true,"searchNs123":true,"searchNs124":true,"searchNs125":true,"searchNs126":true,"searchNs127":true,"searchNs128":true,"searchNs129":true,"searchNs130":true,"searchNs131":true,"searchNs134":false,"searchNs135":false,"searchNs138":false,"searchNs139":false,"searchNs140":false,"searchNs141":false});;mediaWiki.loader.state({"user.options":"ready"}); "
Yet another one found ..
https://wiki.mozilla.org/load.php?debug=false&lang=en&modules=ext.smw.sorttable%2Cstyle
I'm not sure if that can somehow danger the site , but I think it might be . So I'm reporting it ;) .. I'll try to find something about it :) . And if you decline it as a vuln and give me the right to advice with someone else I think i can find more about it :)
I don't see a security issue here, but I am going to get a second pair of eyes just to confirm.
OS: Windows 8 → All
Hardware: x86_64 → All
Group: core-security → websites-security
Component: Security → wiki.mozilla.org
Product: Core → Websites
Can you elaborate more on why you feel this is a security issue? We're not seeing an attack here when we look at this?
Flags: needinfo?(sashoaaaa)
I'm not very aware of that. It is displaying some options .. maybe this shouldn't be displayed to normal users ;) My mistake .. sorry about it .
Flags: needinfo?(sashoaaaa)
No it's fine, thanks for reporting it, we're just trying to figure out if it is a security issue or not.
Well I'm not aware of the commands by miself .. Otherwise i think it can be exploited somehow..
You see /* No modules requested. Max made me put this here */ 
I think maybe some modules can be requested and somehow see more options/etc... 
I don't know the modules you have in neither I have any idea how the mediaWiki.loader.state is working :/
like this
https://wiki.mozilla.org/load.php?debug=false&lang=en&modules=ext.smw.sorttable

displaying you some kind of things
then typing this it is adding two more rows (colors/backgrounds etc..)
https://wiki.mozilla.org/load.php?debug=false&lang=en&modules=ext.smw.sorttable%2Cstyle
Whiteboard: [site:wiki.mozilla.org]
Based on the first URL, I now see 'Cannot show private module "user.options"'. I don't think this was an actual vulnerability in the first place, but either way you can no longer list these options.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Group: websites-security
You need to log in before you can comment on or make changes to this bug.