Page MenuHomePhabricator
Create Task
Maniphest T293589

CVE-2021-44855: Blind Stored XSS via Upload Image via URL
Closed, ResolvedPublicSecurity
Actions

Assigned To
matmarex
Authored By
aidilarf28
Oct 18 2021, 2:29 AM
Tags
Referenced Files
F34750523: 01-T293589-rev2.patch
Nov 16 2021, 6:25 PM
F34695003: 0002-ve.ui.MWMediaDialog-Clean-up-image-metadata-display.patch
Oct 18 2021, 8:33 PM
F34694086: 0001-SECURITY-ve.ui.MWMediaDialog-Escape-plaintext-image-.patch
Oct 18 2021, 12:39 PM
Subscribers
aidilarf28
Aklapper
DLynch
Dylsss
Esanders
gerritbot
jeena
View All 14 Subscribers

Description

Hi ,

I Found Blind Stored XSS https://id.wikipedia.org/

Follow me :)

Steps :

  1. Login your account here https://commons.wikimedia.org/
  2. Then upload the Image File here https://commons.wikimedia.org/wiki/Special:UploadWizard
  3. If you have, click "Continue"
  4. Then you will find the features:

This site requires you to provide copyright information for this work, to make sure everyone can legally reuse it.
This file is my own work.
This file is not my own work.

  1. Select "This file is not my own work."
  2. XSS is in the input form "Source & Author(s)"
  3. Next, input the XSS payload in the 2 Input Forms :)

Payloads:

"><img src=c onerror=prompt(document.domain)>
  1. Then if you have, click "Publish File"
  2. Then you will get the URL:

To use the file in a wiki, copy this text into a page:
[[File:HACKED0001231313123123123131.jpg|thumb|"><img src=c onerror=prompt(document.domain)>]]
To link to it in HTML, copy this URL:
https://commons.wikimedia.org/wiki/File:HACKED0001231313123123123131.jpg

  1. Next Edit User Article https://id.wikipedia.org/
  2. Click Insert "Image & Media Tool"
  3. Input the URL of your PHOTO location that has been inserted XSS :)

https://commons.wikimedia.org/wiki/File:HACKED0001231313123123123131.jpg

  1. Look, your photo appears
  2. Then click, and see a pop up appear and XSS is triggered :)

Supporting Report :

  1. Screenshot

Download Now :
https://www.dropbox.com/s/mlleeemug0znhzf/BLIND%20STORED%20XSS%20WIKIPEDIA.jpg?dl=0

  1. Video

Download Now :
https://www.dropbox.com/s/b4uge4kgdw3ves6/BLIND%20STORED%20XSS%20WIKIPEDIA%202.mp4?dl=0

Details

Risk Rating
High
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fieldsmediawiki/extensions/VisualEditorREL1_31+3 -3
SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fieldsmediawiki/extensions/VisualEditormaster+2 -2
SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fieldsmediawiki/extensions/VisualEditorREL1_36+3 -3
SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fieldsmediawiki/extensions/VisualEditorREL1_35+3 -3
SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fieldsmediawiki/extensions/VisualEditorREL1_37+3 -3
Changes to content and Gemfile for security.wikimedia.orgwikimedia/security/landing-pagemaster+21 -7
Add Aidil Arief to security hall of fame for reporting two issueswikimedia/security/landing-pagemaster+17 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

aidilarf28 created this task.Oct 18 2021, 2:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2021, 2:29 AM
Aklapper added a project: Vuln-XSS.Oct 18 2021, 7:48 AM

Thanks a lot for reporting this! I'm going to cross-link to your other report at T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

aidilarf28 added a comment.Oct 18 2021, 7:57 AM

Hi @Aklapper

Thanks for responds :)

It might be a little different from the previous report, because in the previous report XSS was triggered from Caption and in this report XSS was triggered in Author and Source Name, And XSS was triggered in Blind on Wikipedia Main Page :)

matmarex claimed this task.Oct 18 2021, 12:04 PM
matmarex added a project: VisualEditor.
matmarex subscribed.

Thanks for the report, I can reproduce the problem.

It's a bug in VisualEditor media dialog, occurring regardless of how the image was uploaded. Several of the image metadata fields are displayed incorrectly. We take the HTML from the API (where the payload is safely escaped), and then remove all formatting from it and treat the resulting plain text as if it was HTML, leading to the bug.

It looks like the bug was already present in the first version of that code from 2015 (rEVED4947420650ec: Transform the search widget to show image details).

It's probably difficult to exploit in practice, since you'd have to trick the user into opening the editor, searching for an image name or URL that you provide, and then inserting that image. (It's not exploitable by simply following a link.)

I'm working on a patch, it's a bit complicated since some metadata fields are supposed to be HTML, and I want to make sure we're handling all cases right.

matmarex added a comment.Oct 18 2021, 12:39 PM

Patch:

0001-SECURITY-ve.ui.MWMediaDialog-Escape-plaintext-image-.patch1 KBDownload

This is the simplest patch that fixes the vulnerability, without double-escaping other fields.

There are some other improvements to be made (fixing raw HTML messages, and avoiding parsing and escaping HTML several times), but I haven't finished investigating that, and we can do those later in public with normal code review.

Reedy renamed this task from [ SECURITY VULNERABILIT ] Blind Stored XSS at https://id.wikipedia.org/ Via Upload Image Via URL to [ SECURITY VULNERABILITY ] Blind Stored XSS at https://id.wikipedia.org/ Via Upload Image Via URL.Oct 18 2021, 1:31 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Oct 18 2021, 2:30 PM
sbassett added projects: SecTeam-Processed, Patch-For-Review.

+1 to @matmarex' patch above. The Security-Team should be able to have this deployed by today's security deployment window (21:00 UTC) at the latest.

sbassett triaged this task as High priority.Oct 18 2021, 2:30 PM
sbassett changed Risk Rating from N/A to High.
matmarex added a subscriber: VPuffetMichel.Oct 18 2021, 2:59 PM
matmarex added a subscriber: ppelberg.Oct 18 2021, 3:45 PM
matmarex added a subscriber: DLynch.Oct 18 2021, 4:56 PM
matmarex added a comment.Oct 18 2021, 8:33 PM

Patch for the other improvements I promised in my previous comment:
[not a security patch, no need to deploy this]

0002-ve.ui.MWMediaDialog-Clean-up-image-metadata-display.patch10 KBDownload

At first I wanted to wait until I can submit it publicly for code review in Gerrit, but then I realized that we'll probably need to wait until the next MediaWiki security release (because VisualEditor is now a bundled extension), and I don't know when that will be and it might be a while. I'm uploading it here so that I don't accidentally lose it, but feel free to review now if you want.

sbassett added subscribers: Mstyles, Reedy.Oct 18 2021, 8:45 PM
In T293589#7438356, @matmarex wrote:

Patch for the other improvements I promised in my previous comment:
[not a security patch, no need to deploy this]

Ok, thanks.

At first I wanted to wait until I can submit it publicly for code review in Gerrit, but then I realized that we'll probably need to wait until the next MediaWiki security release (because VisualEditor is now a bundled extension), and I don't know when that will be and it might be a while. I'm uploading it here so that I don't accidentally lose it, but feel free to review now if you want.

We (mainly @Reedy) have been getting them out pretty consistently at the end of each quarter. So the next one (T292226) would likely be released around that last week or December 2021, or maybe a bit before that due to end-of-the-year holidays, etc.

@Mstyles and I still plan to deploy the security patch from T293589#7435882 in about 15 minutes, along with the one from T293556#7437990.

sbassett added a parent task: T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Oct 18 2021, 9:52 PM
Mstyles added a comment.Oct 18 2021, 10:07 PM

deployed 10/18 to production (https://sal.toolforge.org/log/zRBxlXwBa_6PSCT9WSay)

Mstyles lowered the priority of this task from High to Low.Oct 18 2021, 10:07 PM
Mstyles moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
aidilarf28 added a comment.Oct 19 2021, 2:11 AM

Hi @sbassett

After I double checked, it seems this behavior has been fixed.

Can you confirm it?

sbassett added a comment.Oct 19 2021, 2:34 PM
In T293589#7439096, @aidilarf28 wrote:

After I double checked, it seems this behavior has been fixed.

Can you confirm it?

Yes, this issue is now fixed within Wikimedia production. The issue is still private and will be held for the next security release, due out sometime towards the end of December 2021, where it will be publicly disclosed. Thanks again for the report.

matmarex added a subscriber: Esanders.Oct 19 2021, 3:56 PM

FYI, @Esanders has started working on a lint check that would prevent adding vulnerable code in the future: https://github.com/wikimedia/eslint-plugin-no-jquery/pull/284. This is likely to have many false positives, so it might not be practical to enable everywhere, but we're hoping to do it for VisualEditor at least.

sbassett added a comment.Oct 19 2021, 4:23 PM

@Esanders, @matmarex - That's great. The Security-Team definitely encourages this kind of proactive security development. At some point it might make sense to move a rule a like this to semgrep or another security-related tool, but we can address that at some later date, likely next year when Gitlab should be far more active and the canonical source for most Wikimedia repos.

ppelberg moved this task from To Triage to Triaged on the VisualEditor board.Oct 21 2021, 3:36 PM
Reedy renamed this task from [ SECURITY VULNERABILITY ] Blind Stored XSS at https://id.wikipedia.org/ Via Upload Image Via URL to Blind Stored XSS via Upload Image via URL.Oct 22 2021, 8:17 PM
sbassett merged a task: Restricted Task.Oct 25 2021, 8:14 PM
sbassett added a subscriber: Dylsss.
Reedy closed this task as Resolved.Nov 3 2021, 6:47 PM

Would be useful to know which branches this applies to/needs backporting to for reference to MW release branches

matmarex added a comment.Nov 3 2021, 7:06 PM

All of them, the buggy code dates to 2015 (T293589#7435793).

Reedy added a comment.Nov 3 2021, 7:27 PM

Thanks! Will have to see how trivial the backports are (in a month or so!)

sbassett added a subscriber: jeena.EditedNov 16 2021, 6:25 PM

Per conversation with @jeena, rebased security patch which should apply cleanly to wmf.9:

01-T293589-rev2.patch1 KBDownload

Reedy mentioned this in T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Dec 10 2021, 7:55 PM
Reedy added a comment.Dec 10 2021, 8:09 PM

Looks like this should apply fairly cleanly all the way back to REL1_35.

Reedy renamed this task from Blind Stored XSS via Upload Image via URL to CVE-2021-44855: Blind Stored XSS via Upload Image via URL.Dec 13 2021, 3:03 AM
aidilarf28 added a comment.Dec 13 2021, 3:27 AM

Hi @Reedy @sbassett

Can the URL of this report be disclosed, sir?

sbassett added a comment.Dec 13 2021, 2:47 PM
In T293589#7565358, @aidilarf28 wrote:

Hi @Reedy @sbassett

Can the URL of this report be disclosed, sir?

Hey - @Reedy should have the security release out sometime this week or early next week. At that time, this task will be made public, and the url will be disclosed. We would appreciate if you could wait until this task is officially made public to disclose the url.

Reedy added a subscriber: gerritbot.Dec 13 2021, 9:40 PM
gerritbot added a comment.Dec 15 2021, 7:30 PM

Change 747575 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_35] Bug: T293589

https://gerrit.wikimedia.org/r/747575

gerritbot added a comment.Dec 15 2021, 7:31 PM

Change 747582 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_36] Bug: T293589

https://gerrit.wikimedia.org/r/747582

gerritbot added a comment.Dec 15 2021, 7:32 PM

Change 747592 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@master] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747592

gerritbot added a comment.Dec 15 2021, 7:32 PM

Change 747589 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@REL1_37] Bug: T293589

https://gerrit.wikimedia.org/r/747589

gerritbot added a comment.Dec 15 2021, 7:34 PM

Change 747593 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_37] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747593

gerritbot added a comment.Dec 15 2021, 7:35 PM

Change 747594 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_36] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747594

gerritbot added a comment.Dec 15 2021, 7:35 PM

Change 747595 had a related patch set uploaded (by Reedy; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_35] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747595

gerritbot added a comment.Dec 15 2021, 7:50 PM

Change 747575 abandoned by Reedy:

[mediawiki/core@REL1_35] Bug: T293589

Reason:

https://gerrit.wikimedia.org/r/747575

gerritbot added a comment.Dec 15 2021, 7:50 PM

Change 747589 abandoned by Reedy:

[mediawiki/core@REL1_37] Bug: T293589

Reason:

https://gerrit.wikimedia.org/r/747589

gerritbot added a comment.Dec 15 2021, 7:50 PM

Change 747582 abandoned by Reedy:

[mediawiki/core@REL1_36] Bug: T293589

Reason:

https://gerrit.wikimedia.org/r/747582

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 15 2021, 7:52 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Dec 15 2021, 7:59 PM

Change 747595 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_35] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747595

gerritbot added a comment.Dec 15 2021, 8:09 PM

Change 747593 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_37] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747593

gerritbot added a comment.Dec 15 2021, 8:33 PM

Change 747594 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@REL1_36] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747594

gerritbot added a comment.Dec 15 2021, 8:48 PM

Change 747592 merged by jenkins-bot:

[mediawiki/extensions/VisualEditor@master] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747592

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.16; 2022-01-03).Dec 15 2021, 9:00 PM
matmarex added a comment.Dec 16 2021, 12:54 AM

I submitted the patch with non-security improvements (from T293589#7438356) to Gerrit now: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/747652

gerritbot added a comment.Dec 16 2021, 4:33 PM

Change 747703 had a related patch set uploaded (by Robert Vogel; author: SBassett):

[mediawiki/extensions/VisualEditor@REL1_31] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

https://gerrit.wikimedia.org/r/747703

Legoktm mentioned this in T297896: Apply changes from 1.35.5 to unsupported legacy branch `REL1_31`.Dec 16 2021, 5:30 PM
sbassett added a comment.Dec 16 2021, 6:53 PM

@aidilarf28 - Just to follow up, the security release is out and this task is now public. Feel free to reference it and the url directly.

gerritbot added a comment.Dec 17 2021, 8:43 AM

Change 747703 abandoned by Robert Vogel:

[mediawiki/extensions/VisualEditor@REL1_31] SECURITY: ve.ui.MWMediaDialog: Escape plaintext image metadata fields

Reason:

https://gerrit.wikimedia.org/r/747703

mmodell subscribed.Jan 4 2022, 9:01 PM
This comment was removed by mmodell.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL