Summary:
It is possible to place malicious code on any wiki-page in any project of the Wikimedia Foundation (Wikipedia, Commons and others). It consists of a HTML element with an inline CSS style, which contains CSS variables. By abuse of the variable evaluation mechanism it is possible to cause a crash of all modern browsers.
A working sample of the code is attached to this ticket (see the file attack_code_example.txt).
I’m an administrator and CU on the Russian Wikipedia and have found this sample in the list of recent edits today! After it crashed my browser a couple of times I was able to retrieve an inactive sample by deleting the affected page and viewing the source code during undeleting.
Possible impact:
High to critical, as it will crash browsers of page visitors, especially if injected into a widely-used template. In case the code manages to reach the main page via inclusions – it will greatly affect all users and visitors of the project. Such malicious edits could be quite difficult to undo, as the diff-view will also cause a crash. And the most worrying thing about the issue - I caught the code "in the wild"...
How to reproduce:
- Copy the sample code from the attached text file (attack_code_example.txt) and paste it to any page (article, discussion page, user page, new page, existing page, etc.)
- Press “Show preview”. The browser will crash immediately.
- If you publish the page instead of previewing (DON’T DO IT), the embedded code will crash the browser of every visitor of the infected page.
Tested configurations:
- Browsers affected: Chrome 70.0, Firefox 63
- Browsers not affected: IE11.
- Sites affected: All WMF sites - tested in RU Wiki, EN Wiki, DE Wiki and on Commons. Also, numerous external wiki-projects, based on MediaWiki engine.
Possible remedies:
- Immediate: New abuse filter rule - already did it on RU Wiki
- Long term: Deactivate interpretation of CSS variables (the same approach as with JS snippets on general pages).