Page MenuHomePhabricator
Create Task
Maniphest T278014

CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles
Closed, ResolvedPublicSecurity
Actions

Description

On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped.

Steps to reproduce:

  1. Edit one of the mediastatistics-header-*messages (e.g. edit MediaWiki:Mediastatistics-header-drawing) and add a simple XSS string like <img src=x onerror=alert(document.domain)>
  2. Visit Special:NewFiles and see the JavaScript executed

NewFilesXSS.png (533×948 px, 78 KB)

This happens because the form options is using the ->text() output format with options, which is not escaped, rather than options-messages.

It's relatively low risk given it's admin-only, but filing as a private issue similar to T256171 and T255918.

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Escape mediastatistics-header-* messages on Special:NewFilesmediawiki/coreREL1_35+1 -1
Escape mediastatistics-header-* messages on Special:NewFilesmediawiki/coreREL1_31+1 -1
Escape mediastatistics-header-* messages on Special:NewFilesmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Grunny created this task.Mar 20 2021, 3:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 20 2021, 3:59 PM
Grunny added a comment.EditedMar 20 2021, 4:02 PM

Proposed patch:

T278014.patch1 KBDownload

From 65b0d900790a2fc8b96007425ac9aa850e9fd6dd Mon Sep 17 00:00:00 2001
From: grunny <mwgrunny@gmail.com>
Date: Sat, 20 Mar 2021 04:46:44 +1000
Subject: [PATCH] Escape mediastatistics-header-* messages on Special:NewFiles

The mediastatistics-header-* messages used on Special:NewFiles currently
allow raw HTML as raw options labels are output as raw HTML in forms. We
could change these to use options-messages with the message keys, but it
looks like this was done so the list could be alphabetised based on the
labels and this wouldn't be in alphabetical order if we sorted on the
message keys.

Change-Id: I5f59ccf4c167756255952cfbf31a8d7891463e92
---
 includes/specials/SpecialNewFiles.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/specials/SpecialNewFiles.php b/includes/specials/SpecialNewFiles.php
index fc589f1..92798e0 100644
--- a/includes/specials/SpecialNewFiles.php
+++ b/includes/specials/SpecialNewFiles.php
@@ -155,7 +155,7 @@ class SpecialNewFiles extends IncludableSpecialPage {
 			// mediastatistics-header-office, mediastatistics-header-text,
 			// mediastatistics-header-executable, mediastatistics-header-archive,
 			// mediastatistics-header-3d,
-			return $this->msg( 'mediastatistics-header-' . strtolower( $type ) )->text();
+			return $this->msg( 'mediastatistics-header-' . strtolower( $type ) )->escaped();
 		}, $this->mediaTypes );
 		$mediaTypesOptions = array_combine( $mediaTypesText, $this->mediaTypes );
 		ksort( $mediaTypesOptions );
-- 
2.7.4

As the commit message says, we could use options-messages, but it seems this was intended to allow the output list to be alphabetical, which this approach maintains.

Grunny added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).Mar 20 2021, 4:03 PM
Grunny added a project: Vuln-XSS.Mar 20 2021, 4:08 PM
Reedy added a project: MediaWiki-Special-pages.Mar 20 2021, 5:38 PM
Reedy added a project: MW-1.35-release.Mar 20 2021, 5:44 PM
Reedy added subscribers: matthiasmullie, Reedy.

Thanks Grunny.

Seems this might have been the case since rMW2647cbc4a456: Add media type based filtering to Special:NewFiles

Grunny mentioned this in T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).Mar 21 2021, 6:00 PM
sbassett triaged this task as Low priority.Mar 22 2021, 3:25 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett subscribed.

Thanks again for the report and patch. Making this public and pushing through gerrit as low-risk.

RhinosF1 subscribed.Mar 22 2021, 3:27 PM
gerritbot added a comment.Mar 22 2021, 3:30 PM

Change 674083 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@master] Escape mediastatistics-header-* messages on Special:NewFiles

https://gerrit.wikimedia.org/r/674083

gerritbot added a project: Patch-For-Review.Mar 22 2021, 3:30 PM
sbassett added a project: SecTeam-Processed.Mar 22 2021, 3:40 PM
gerritbot added a comment.Mar 22 2021, 5:23 PM

Change 674083 merged by jenkins-bot:
[mediawiki/core@master] Escape mediastatistics-header-* messages on Special:NewFiles

https://gerrit.wikimedia.org/r/674083

gerritbot added a comment.Mar 22 2021, 5:46 PM

Change 674107 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@REL1_35] Escape mediastatistics-header-* messages on Special:NewFiles

https://gerrit.wikimedia.org/r/674107

Grunny added a comment.Mar 22 2021, 5:59 PM

Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?

gerritbot added a comment.Mar 22 2021, 6:00 PM

Change 674107 merged by jenkins-bot:
[mediawiki/core@REL1_35] Escape mediastatistics-header-* messages on Special:NewFiles

https://gerrit.wikimedia.org/r/674107

ReleaseTaggerBot added projects: MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), MW-1.35-notes.Mar 22 2021, 6:00 PM
sbassett added a comment.Mar 22 2021, 6:06 PM
In T278014#6935629, @Grunny wrote:

Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?

I would say likely, yes. However it's probably a good idea to continue filing these as private bugs so the Security-Team can review them (our weekly clinic meeting is Monday morning) just to verify they are indeed low-risk and to also time them well for the weekly train deployment, in getting pushed to gerrit.

sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Mar 22 2021, 6:07 PM
sbassett removed a project: Patch-For-Review.
Grunny added a comment.Mar 22 2021, 6:38 PM
In T278014#6935675, @sbassett wrote:
In T278014#6935629, @Grunny wrote:

Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?

I would say likely, yes. However it's probably a good idea to continue filing these as private bugs so the Security-Team can review them (our weekly clinic meeting is Monday morning) just to verify they are indeed low-risk and to also time them well for the weekly train deployment, in getting pushed to gerrit.

Sounds good, thanks!

Reedy added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 30 2021, 12:46 AM
Reedy closed this task as Resolved.Mar 30 2021, 12:48 AM
Reedy assigned this task to Grunny.
Reedy mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Apr 4 2021, 9:29 PM
gerritbot added a comment.Apr 4 2021, 9:37 PM

Change 676795 had a related patch set uploaded (by Reedy; author: Grunny):

[mediawiki/core@REL1_31] Escape mediastatistics-header-* messages on Special:NewFiles

https://gerrit.wikimedia.org/r/676795

gerritbot added a project: Patch-For-Review.Apr 4 2021, 9:37 PM
gerritbot added a comment.Apr 4 2021, 9:44 PM

Change 676795 merged by jenkins-bot:

[mediawiki/core@REL1_31] Escape mediastatistics-header-* messages on Special:NewFiles

https://gerrit.wikimedia.org/r/676795

Reedy added a project: MW-1.31-release.Apr 4 2021, 9:45 PM
ReleaseTaggerBot added a project: MW-1.31-release-notes.Apr 4 2021, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 4 2021, 10:10 PM
Reedy renamed this task from Unescaped messages used in HTML on Special:NewFiles to CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles.Apr 6 2021, 7:11 PM
Reedy added a subscriber: gerritbot.Apr 8 2021, 7:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL