Page MenuHomePhabricator
Create Task
Maniphest T117899

XSS from wikitext when $wgArticlePath='$1'
Closed, ResolvedPublic
Actions

Description

When $wgArticlePath is set to '$1', it's trivially possible to execute XSS attacks:

  • Create a page named javascript:alert('XSS!')
  • Add a wikilink to that page on another one: [[javascript:alert('XSS!')]]

Since $wgArticlePath is not absolute, this will generate <a href="javascript:alert('XSS!')" ...>.

Note that $wgArticlePath = '$1' is a pretty broken configuration setting and unlikely to result in a fully functional wiki, but people desperately grappling with short URLs might end up setting that. On master, it seems to cause infinite redirect loops (probably due to 155d555b83eca6403e07d2094b074a8ed2f301ae?), but I was able to view pages with that setting on MediaWiki 1.25.

It seems that T48998 is an old bug pointing out that some $wgArticlePaths just shouldn't be allowed (with a patch).

patches:

affected versions:
type: XSS
CVE: CVE-2015-8622

Related Objects
Search...

Event Timeline

matmarex created this task.Nov 5 2015, 7:29 PM
matmarex raised the priority of this task from to Needs Triage.
matmarex updated the task description. (Show Details)
matmarex added projects: Vuln-XSS, MediaWiki-Parser, acl*security.
matmarex changed the visibility from "Public (No Login Required)" to "Custom Policy".
matmarex changed the edit policy from "All Users" to "Custom Policy".
matmarex changed Security from None to Software security bug.
matmarex subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2015, 7:29 PM
Bawolff subscribed.Nov 10 2015, 10:20 PM
This comment was removed by demon.
csteipp subscribed.Nov 10 2015, 10:24 PM

Would be fixed with https://gerrit.wikimedia.org/r/135196

@Bawolff is going to +2 that, and we'll backport it for the next security release to address the issue.

csteipp triaged this task as Low priority.Nov 10 2015, 10:25 PM
dpatrick assigned this task to Bawolff.Nov 10 2015, 10:29 PM
Bawolff added a comment.Nov 10 2015, 11:10 PM

Ok, I've +2'd that patch.

I'm not putting any backports into gerrit now, as I assume we're going to wait until the security release, so as to not draw any attention to this.

Bawolff added a project: Security-Team.Nov 10 2015, 11:10 PM
csteipp added a parent task: T115722: MediaWiki Security release 1.25.4.Nov 10 2015, 11:56 PM
matmarex added a comment.Nov 11 2015, 10:10 PM

To be backported: https://gerrit.wikimedia.org/r/135196 + https://gerrit.wikimedia.org/r/252582

demon mentioned this in T115722: MediaWiki Security release 1.25.4.Dec 17 2015, 12:39 AM
demon added subscribers: demon, Grunny.Dec 17 2015, 1:18 AM
matmarex added a comment.Dec 17 2015, 1:08 PM

Somebody should probably delete the earlier comment with the list of vulnerable wikis before this is publicised, or get them all to upgrade :)

demon added a comment.Dec 17 2015, 4:35 PM
In T117899#1887382, @matmarex wrote:

Somebody should probably delete the earlier comment with the list of vulnerable wikis before this is publicised, or get them all to upgrade :)

Did the former to be extra safe and not call them out.

demon closed this task as Resolved.Dec 18 2015, 12:39 AM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
csteipp updated the task description. (Show Details)Dec 23 2015, 11:42 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptDec 23 2015, 11:42 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:13 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
matmarex mentioned this in T316152: Title::getLocalURL() can improperly return '' when $wgArticlePath is an empty string.Aug 24 2022, 7:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL