XSS from wikitext when $wgArticlePath='$1'
Closed, ResolvedPublic

Description

When $wgArticlePath is set to '$1', it's trivially possible to execute XSS attacks:

  • Create a page named javascript:alert('XSS!')
  • Add a wikilink to that page on another one: [[javascript:alert('XSS!')]]

Since $wgArticlePath is not absolute, this will generate <a href="javascript:alert('XSS!')" ...>.

Note that $wgArticlePath = '$1' is a pretty broken configuration setting and unlikely to result in a fully functional wiki, but people desperately grappling with short URLs might end up setting that. On master, it seems to cause infinite redirect loops (probably due to 155d555b83eca6403e07d2094b074a8ed2f301ae?), but I was able to view pages with that setting on MediaWiki 1.25.

It seems that T48998 is an old bug pointing out that some $wgArticlePaths just shouldn't be allowed (with a patch).


patches:

affected versions:
type: XSS
CVE: CVE-2015-8622

matmarex created this task.Nov 5 2015, 7:29 PM
matmarex updated the task description. (Show Details)
matmarex raised the priority of this task from to Needs Triage.
matmarex changed the visibility from "Public (No Login Required)" to "Custom Policy".
matmarex changed the edit policy from "All Users" to "Custom Policy".
matmarex changed Security from None to Software security bug.
matmarex added a subscriber: matmarex.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2015, 7:29 PM
This comment was removed by demon.

Would be fixed with https://gerrit.wikimedia.org/r/135196

@Bawolff is going to +2 that, and we'll backport it for the next security release to address the issue.

csteipp triaged this task as Low priority.Nov 10 2015, 10:25 PM

Ok, I've +2'd that patch.

I'm not putting any backports into gerrit now, as I assume we're going to wait until the security release, so as to not draw any attention to this.

Somebody should probably delete the earlier comment with the list of vulnerable wikis before this is publicised, or get them all to upgrade :)

demon added a comment.Dec 17 2015, 4:35 PM

Somebody should probably delete the earlier comment with the list of vulnerable wikis before this is publicised, or get them all to upgrade :)

Did the former to be extra safe and not call them out.

demon closed this task as Resolved.Dec 18 2015, 12:39 AM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
csteipp updated the task description. (Show Details)Dec 23 2015, 11:42 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptDec 23 2015, 11:42 PM