InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS warning on en.wikipedia.com

https://forums.informaction.com/viewtopic.php?t=25112

Page 1 of 1

XSS warning on en.wikipedia.com

Posted: Fri Aug 17, 2018 7:47 am
by Rollo
Step to reproduce:

1) Go to https://en.wikipedia.org/wiki/File:EE_C ... 60883).jpg
2) Click OR Middle Click OR Ctrl Click on the picture or any link for other resolutions
Image
3) Get an XSS warning.
Image
Image

Console output:

Code: Select all

[NoScript] [InjectionChecker]  JavaScript Injection in ///wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg
(function anonymous(
) {
wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Firefox 60.1.0esr on Debian GNU/Linux x86_64 (Mozilla binary tarball, not from distro repo) in a new clean profile, NoScript 10.1.8.17rc2 default configuration.
Same result for Firefox 61.0.2 release and Firefox 52.9.0esr/NoScript Classic 5.1.8.7rc3.

With Firefox 52.9 I didn't bother to test with a new clean profile...

Re: XSS warning on en.wikipedia.com

Posted: Fri Aug 17, 2018 8:54 am
by barbaz
I see it too.

Console messages from NoScript Classic -

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg
(function anonymous(
) {
wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://upload.wikimedia.org/wikipedia/commons/0/08/EE_Canberra_instument_panel%2C_Midland_Air_Museum._%2812780760883%29.jpg] requested from [https://en.wikipedia.org/wiki/File:EE_Canberra_instument_panel,_Midland_Air_Museum._(12780760883).jpg]. Sanitized URL: [https://upload.wikimedia.org/wikipedia/commons/0/08/EE_Canberra_instument_panel,_Midland_Air_Museum._%2012780760883%20.jpg#256610889607651775].
I think this is a false positive.

Re: XSS warning on en.wikipedia.com

Posted: Fri Aug 17, 2018 1:01 pm
by Giorgio Maone
barbaz wrote: I think this is a false positive.
It is. It is syntactically valid JavaScript, but just by chance.
Anyway, whitelisting cross-site requests from wikimedia.org to wikipedia.org should be fairly safe.

Re: XSS warning on en.wikipedia.com

Posted: Fri Aug 17, 2018 4:16 pm
by barbaz
Giorgio Maone wrote:It is. It is syntactically valid JavaScript, but just by chance.
Anyway, whitelisting cross-site requests from wikimedia.org to wikipedia.org should be fairly safe.
Thanks Giorgio. I added an XSS exception and it works.

I noticed that NoScript Classic already has a default XSS exception for Wikimedia -

Code: Select all

^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$
So will another default XSS exception be added for this new Wikimedia case?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited