Page MenuHomePhabricator

XSS in templatedata
Closed, ResolvedPublic

Description

Parameters descriptions allow raw HTML:

{
	"params": {
		"1": {
			"description": "<a onclick=\"alert('XSS')\">Test</a>"
		}
	}
}

The link is directly inserted in the description table, clicking on it executes the JavaScript script.

Event Timeline

Ltrlg created this task.Nov 15 2015, 10:03 AM
Ltrlg updated the task description. (Show Details)
Ltrlg raised the priority of this task from to Needs Triage.
Ltrlg added a subscriber: Ltrlg.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 15 2015, 10:03 AM
Ltrlg updated the task description. (Show Details)Nov 15 2015, 10:04 AM
Ltrlg set Security to None.
Ltrlg updated the task description. (Show Details)
Ltrlg changed Security from None to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptNov 15 2015, 10:05 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: Security. · View Herald Transcript
Ltrlg updated the task description. (Show Details)Nov 15 2015, 12:43 PM
Bawolff triaged this task as High priority.Nov 15 2015, 10:46 PM
Bawolff added a subscriber: Bawolff.

Confirmed, issue is present

I checked the rest of the getHtml() method for similar issues and found none.

The structure of the code that generates the table is a little hard to read.

Bawolff moved this task from Backlog to In Progress on the Security-Team board.Nov 16 2015, 2:28 AM

It looks like 402d95ff6b27800ecbd38e7be1eea18006060752 changed that to be a rawElement.

Timo, can you look at @Bawolff's patch, and make sure it doesn't break something you were accounting for when you did that?

<Krinkle> csteipp: Looks good. Was not intended to be rawElement. I think an earlier version of that patch passed parameter and used escaped() and then one changed to text() but the other remained rawElement. Not relied upon.

(just prefixed the patch description with SECURITY to make it easy to see in git)

LGTM

csteipp closed this task as Resolved.Nov 19 2015, 10:25 PM
csteipp claimed this task.

22:21 csteipp: deployed patch for T118682

Jdforrester-WMF moved this task from Backlog to Doing on the TemplateData board.Jan 15 2016, 9:21 PM
Bawolff reopened this task as Open.Dec 18 2017, 8:19 PM
Bawolff removed csteipp as the assignee of this task.

Not sure what happened, but this is present on mediawiki.org right now.

Restricted Application added a project: VisualEditor. · View Herald TranscriptDec 18 2017, 8:19 PM

Re-deployed. I'm also going to publicize this momentarily.

[20:48]	logmsgbot	!log bawolff@tin Synchronized php-1.31.0-wmf.12/extensions/TemplateData/TemplateDataBlob.php: T118682 (duration: 00m 52s)

and

https://gerrit.wikimedia.org/r/#/c/398911/

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2017, 9:21 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
Bawolff closed this task as Resolved.
Bawolff claimed this task.
Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptDec 18 2017, 9:21 PM
This comment was removed by Bawolff.
sbassett moved this task from In Progress to Done on the Security-Team board.Tue, Jun 11, 6:05 PM