Page MenuHomePhabricator
Create Task
Maniphest T124404

language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814)
Closed, ResolvedPublic
Actions

Assigned To
Bawolff
Authored By
Bawolff
Jan 22 2016, 11:01 AM
Tags
Referenced Files
F10768484: T124404-REL1_28.patch
Nov 13 2017, 6:26 PM
F10768477: T124404-REL1_30.patch
Nov 13 2017, 6:26 PM
F10768474: T124404-master.patch
Nov 13 2017, 6:26 PM
F10768482: T124404-REL1_29.patch
Nov 13 2017, 6:26 PM
F4307616: T124404-REL1_23.patch
Jul 26 2016, 1:49 AM
F4307614: T124404-REL1_27.patch
Jul 26 2016, 1:49 AM
F4307615: T124404-REL1_26.patch
Jul 26 2016, 1:49 AM
F4307612: T124404-master.patch
Jul 26 2016, 1:49 AM
View All 10 Files
Subscribers
Aklapper
Bawolff
csteipp
gerritbot
jimmyxu
liangent

Description

Found well testing a new solution to T119158. The regex in LanguageConverter::autoConvert(), which matches parts of the HTML document not to convert, can hit pcre.backtrack_limit on some input (default in php is 100,000 but it is configurable). The regex fails to match anything after the point it hits the backtrack limit, so language conversion substitutions are done on the entire document, instead of just the part that it is supposed to be done.

To exploit: Create a rule followed by slightly more than pcre.backtrack_limit characters (without any newlines). After that, the substitution rule will be applied everywhere, including within tags.

E.g. Create a page with the following form:

-{H|big=>sr-el:script}- foo <X repeated at least 100000 times>

<big>alert(1)</big>

And then view it in the sr-el variant

(For testing, its easier if you set pcre.backtrack_limit to a smaller number than default)

Patches

T124404-master.patch5 KBDownload
,
T124404-REL1_27.patch5 KBDownload
,
T124404-REL1_26.patch5 KBDownload
,
T124404-REL1_23.patch5 KBDownload

Details

ProjectBranchLines +/-Subject
mediawiki/corewmf/1.31.0-wmf.8+61 -15SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit
mediawiki/coremaster+61 -15SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit
mediawiki/corefundraising/REL1_27+58 -12XSS in langconverter when regex hits pcre.backtrack_limit
mediawiki/coreREL1_30+61 -15SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit
mediawiki/coreREL1_29+62 -15SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit
mediawiki/coreREL1_28+56 -11SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit
mediawiki/coreREL1_27+59 -12SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Jan 22 2016, 11:01 AM
Bawolff raised the priority of this task from to Needs Triage.
Bawolff updated the task description. (Show Details)
Bawolff added projects: Security-Core, MediaWiki-Language-converter, acl*security.
Bawolff changed the visibility from "Public (No Login Required)" to "Custom Policy".
Bawolff changed the edit policy from "All Users" to "Custom Policy".
Bawolff changed Security from None to Software security bug.
Bawolff added subscribers: Bawolff, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2016, 11:01 AM
Bawolff mentioned this in T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815).Jan 22 2016, 11:25 AM
Bawolff added projects: Patch-For-Review, Security-Team.Jan 24 2016, 12:16 PM

Fix pcre.backtrack_limit exhaustion XSS in langconverter5 KBDownload

Bawolff added a comment.EditedJan 24 2016, 2:21 PM

avoid pcre.backtrack_limit in lang converter XSS (But with logging error instead of exception)5 KBDownload

On second thought, I think its better in the case we do hit the backtrack limit, to simply not do language conversion on the page, and log the error with a high severity. [See new version of patch]

With the changes to the regex, it should be much more difficult for someone who is not malicious to trigger this error. The most likely way to trigger it, would be a very long <source> listing [Since <source> turns into a <pre> with a lot of children], or a <code> tag with like 50,000 children. Seems unlikely for a non-malicious person to do by accident.

To summarize, patch does 2 things:

  • Optimize regexes to minimize the amount of backtracking (Primarily by using possessive quantifiers where possible)
  • Add a check that regex matches to the end, so if we do hit the backtrack limit, we can detect the situation and respond appropriately.
Bawolff updated the task description. (Show Details)Jan 24 2016, 2:26 PM
Bawolff added a comment.Jan 24 2016, 2:43 PM

I tested this patch on the contents of [[zh:贝拉克·奥巴马]] (Obama from zhwiki). No noticeable performance difference.

csteipp moved this task from Incoming to In Progress on the Security-Team board.Jan 26 2016, 4:48 PM
csteipp triaged this task as High priority.Jan 26 2016, 10:26 PM
Bawolff added a comment.Jan 26 2016, 11:10 PM
In T124404#1960156, @Bawolff wrote:

avoid pcre.backtrack_limit in lang converter XSS (But with logging error instead of exception)5 KBDownload

On second thought, I think its better in the case we do hit the backtrack limit, to simply not do language conversion on the page, and log the error with a high severity. [See new version of patch]

With the changes to the regex, it should be much more difficult for someone who is not malicious to trigger this error. The most likely way to trigger it, would be a very long <source> listing [Since <source> turns into a <pre> with a lot of children], or a <code> tag with like 50,000 children. Seems unlikely for a non-malicious person to do by accident.

To summarize, patch does 2 things:

  • Optimize regexes to minimize the amount of backtracking (Primarily by using possessive quantifiers where possible)
  • Add a check that regex matches to the end, so if we do hit the backtrack limit, we can detect the situation and respond appropriately.

When deploying this patch, should probably keep an eye on logstash for the languageconverter, just to make sure there is no sudden spike in "Hit pcre.backtrack_limit in..." messages. I don't think there should be, but just in case.

Bawolff added a subscriber: liangent.Feb 5 2016, 10:31 AM
csteipp added a comment.Feb 11 2016, 6:27 PM

avoid pcre.backtrack_limit in lang converter XSS (But with logging error instead of exception)5 KBDownload

I think we should update the patch to also check for 0 vs. false, and handle the false/error case appropriately. From http://php.net/manual/en/function.preg-match.php, "preg_match() returns 1 if the pattern matches given subject, 0 if it does not, or FALSE if an error occurred."

Ftr, @Bawolff seems to have found cases in older php versions where 0 was returned on errors also, so reducing the chances of hitting the backtrack limit is also useful.

csteipp moved this task from In Progress to Ready on the Security-Team board.May 9 2016, 6:27 PM
Bawolff mentioned this in T133070: MediaWiki 1.27.1 security release.Jun 27 2016, 6:58 PM
Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Jul 10 2016, 5:21 PM
Bawolff updated the task description. (Show Details)Jul 26 2016, 1:49 AM

Patches:

T124404-master.patch5 KBDownload
,
T124404-REL1_27.patch5 KBDownload
,
T124404-REL1_26.patch5 KBDownload
,
T124404-REL1_23.patch5 KBDownload

Bawolff added a subscriber: jimmyxu.Oct 10 2016, 7:36 PM
Reedy lowered the priority of this task from High to Medium.Jul 10 2017, 9:25 PM
Reedy moved this task from Patch pending deployment to Patch needing revision/discussion on the acl*security board.
Bawolff mentioned this in T176176: HTML5 ids seems to change how wikilink fragments are parsed (when LanguageConverter is enabled).Nov 13 2017, 5:41 PM
Bawolff added a parent task: T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 13 2017, 6:15 PM
Reedy mentioned this in T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 13 2017, 6:20 PM
Bawolff added a comment.Nov 13 2017, 6:26 PM

T124404-REL1_28.patch5 KBDownload

T124404-REL1_29.patch5 KBDownload

T124404-REL1_30.patch5 KBDownload

T124404-master.patch5 KBDownload
(As of nov 13)

Reedy assigned this task to Bawolff.Nov 13 2017, 6:30 PM
Reedy mentioned this in T179609: Obtain CVE's for 1.27.4/1.29.2 security releases.
Reedy closed this task as Resolved.Nov 13 2017, 7:36 PM
Reedy updated the task description. (Show Details)Nov 13 2017, 7:40 PM
Bawolff added a comment.Nov 13 2017, 10:55 PM

[22:42] bawolff !log deployed patch T124404

MoritzMuehlenhoff renamed this task from language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition to language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814).Nov 14 2017, 9:30 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:06 AM
Reedy changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a subscriber: gerritbot.Nov 15 2017, 12:09 AM

Change 391409 merged by jenkins-bot:
[mediawiki/core@fundraising/REL1_27] XSS in langconverter when regex hits pcre.backtrack_limit

https://gerrit.wikimedia.org/r/391409

gerritbot added a comment.Nov 15 2017, 12:59 AM

Change 391454 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@master] SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit

https://gerrit.wikimedia.org/r/391454

ReleaseTaggerBot added projects: MW-1.30-release-notes, MW-1.29-release-notes.Nov 15 2017, 1:01 AM
gerritbot added a comment.Nov 15 2017, 3:38 AM

Change 391454 merged by Reedy:
[mediawiki/core@master] SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit

https://gerrit.wikimedia.org/r/391454

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 15 2017, 4:00 AM
gerritbot added a comment.Nov 16 2017, 12:07 AM

Change 391733 had a related patch set uploaded (by Chad; owner: Brian Wolff):
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit

https://gerrit.wikimedia.org/r/391733

gerritbot added a comment.Nov 16 2017, 12:41 AM

Change 391733 merged by jenkins-bot:
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: XSS in langconverter when regex hits pcre.backtrack_limit

https://gerrit.wikimedia.org/r/391733

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)); removed MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 16 2017, 1:00 AM
sbassett moved this task from Patch needing revision/discussion to Done on the acl*security board.Sep 26 2019, 2:28 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL