Bug 891020 (CVE-2012-6453)

Summary: CVE-2012-6453 MediaWiki RSS Reader: code execution via HTML in feed titles and bodies
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, ian, puiterwijk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-18 11:34:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 891021, 891022, 891023    
Bug Blocks:    

Description Kurt Seifried 2013-01-01 00:59:43 UTC 
Thorsten Glaser (tg) reports:

Package: mediawiki-extensions-base
Version: 2.9
Severity: grave
Justification: user security hole

Thanks to Joey Hess, who put
       <title>&lt;/yurt&gt;</title>
into his feed, and our FusionForge “pink popup”
which displays invalid XHTML immediately, a user
security hole could be identified today during
MediaWiki validation at tarent solutions GmbH
in mediawiki-extensions-base (RSS_Reader) and
gforge-base (Codendi RSS widget).

In mediawiki-extensions-base, this is an actual
user security hole: JavaScript placed, properly
escaped, into an RSS feed item’s title is executed
on the page. (In FusionForge, <script> tags are
stripped, but the invalid </yurt> is still emitted.
I will not file a security bug against FusionForge
because I do not believe it a user security hole
there, but still commit a fix into FF’s git repo.)

External links:
http://www.mediawiki.org/wiki/Extension:RSS_Reader#0.2.6
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696179
Comment 1 Kurt Seifried 2013-01-01 01:01:07 UTC 
Created mediawiki-rss tracking bugs for this issue

Affects: fedora-16 [bug 891021]
Comment 2 Kurt Seifried 2013-01-01 01:02:33 UTC 
Created mediawiki-rss tracking bugs for this issue

Affects: epel-5 [bug 891022]
Comment 3 Kurt Seifried 2013-01-01 01:05:25 UTC 
Created mediawiki119-RSS tracking bugs for this issue

Affects: epel-6 [bug 891023]
Comment 4 Patrick Uiterwijk 2013-01-18 11:34:28 UTC 
This does not apply: this is a security bug against the RSS_Reader extension, but this is the RSS extension.