Page MenuHomePhabricator
Create Task
Maniphest T348979

CVE-2024-23177: WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter
Closed, ResolvedPublicSecurity
Actions

Description

Minimal test example: Special:PageStatistics?page=<script>alert('XSS')</script>

Expected results: no alert() is shown

Actual results: the alert() is, in fact, shown

Mitigation: wrapping the $requestedPage variable in htmlspecialchars( ..., ENT_QUOTES ) before outputting it, like so:

@@ -54,7 +59,8 @@ class SpecialPageStatistics extends SpecialPage {
                        $this->renderPageStats();
                } elseif ( $requestedPage ) {
                        // @todo FIXME: internationalize
-                       $out->addHTML( "<p>\"$requestedPage\" is either not a page or is not watchable</p>" );
+                       $safeRequestedPage = htmlspecialchars( $requestedPage, ENT_QUOTES );
+                       $out->addHTML( "<p>\"$safeRequestedPage\" is either not a page or is not watchable</p>" );
                } else {
                        $out->addHTML( "<p>No page requested</p>" );
                }

(Excuse the line numbers presumably not matching as I have a lot of changes to this extension locally which I've yet to commit.)

Additionally there are various i18n issues here (and also many other places) and an alternative, even better fix would be to move the i18n string(s) into the i18n file and use $out->addWikiMsg( 'some-message-key-you-would-create', $requestedPage ); instead of $out->addHTML( ... ); to output a definitely known to be safe string without having to manually rely on htmlspecialchars() and the like and having the Parser do the sanitization etc. for you.
But I think the i18n stuff is a separate issue that can and should be fixed separately from the security issue.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
[SECURITY] Escape the 'page' URL parameter value before outputting itmediawiki/extensions/WatchAnalyticsREL1_40+2 -1
[SECURITY] Escape the 'page' URL parameter value before outputting itmediawiki/extensions/WatchAnalyticsREL1_41+2 -1
[SECURITY] Escape the 'page' URL parameter value before outputting itmediawiki/extensions/WatchAnalyticsmaster+2 -1
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Oct 16 2023, 1:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2023, 1:01 PM
ashley added projects: MediaWiki-extensions-WatchAnalytics, Vuln-XSS.Oct 16 2023, 1:01 PM
ashley mentioned this in T348989: Various hardcoded English strings.Oct 16 2023, 2:21 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Oct 16 2023, 4:51 PM
ashley mentioned this in rEWAN22199e2fc800: [SECURITY] Escape the 'page' URL parameter value before outputting it.Oct 17 2023, 2:05 PM
ashley closed this task as Resolved.Oct 17 2023, 2:17 PM
ashley claimed this task.
ashley added a subscriber: sbassett.

Now fixed in git master by the afore-referenced commit. @sbassett, feel free to make this task public now; thanks!

sbassett triaged this task as Medium priority.Oct 17 2023, 3:40 PM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.

gerrit: https://gerrit.wikimedia.org/r/966544

gerritbot added a comment.Jan 17 2024, 3:10 PM

Change 991333 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/extensions/WatchAnalytics@REL1_41] [SECURITY] Escape the 'page' URL parameter value before outputting it

https://gerrit.wikimedia.org/r/991333

gerritbot added a project: Patch-For-Review.Jan 17 2024, 3:10 PM
gerritbot added a comment.Jan 17 2024, 3:19 PM

Change 991334 had a related patch set uploaded (by Mmartorana; author: Jack Phoenix):

[mediawiki/extensions/WatchAnalytics@REL1_40] [SECURITY] Escape the 'page' URL parameter value before outputting it

https://gerrit.wikimedia.org/r/991334

mmartorana renamed this task from WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter to CVE-2024-23177: WatchAnalytics: classic XSS on Special:PageStatistics with the 'page' URL parameter.Jan 17 2024, 4:17 PM
gerritbot added a comment.Jan 17 2024, 4:25 PM

Change 991333 merged by jenkins-bot:

[mediawiki/extensions/WatchAnalytics@REL1_41] [SECURITY] Escape the 'page' URL parameter value before outputting it

https://gerrit.wikimedia.org/r/991333

mmartorana mentioned this in rEWAN60007b9a4e0d: [SECURITY] Escape the 'page' URL parameter value before outputting it.Jan 17 2024, 4:25 PM
gerritbot added a comment.Jan 19 2024, 10:01 PM

Change 991334 merged by SBassett:

[mediawiki/extensions/WatchAnalytics@REL1_40] [SECURITY] Escape the 'page' URL parameter value before outputting it

https://gerrit.wikimedia.org/r/991334

sbassett mentioned this in rEWANe5ac008c613e: [SECURITY] Escape the 'page' URL parameter value before outputting it.Jan 19 2024, 10:01 PM
Maintenance_bot removed a project: Patch-For-Review.Jan 19 2024, 10:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL