Page MenuHomePhabricator

Extension:MsCalendar XSS vulnerability
Closed, ResolvedPublic

Description

I was asked on my talk page to report the bug here, sorry if this is the wrong place:

I work with Miraheze, a free and nonprofit wiki farm. I was recently asked to do a security evaluation of the extension Extension:MsCalendar.

After doing a readthrough of the code, I noticed that the JS wasn't escaping event text here:
https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FMsCalendar/master/js%2Fjquery.calendario.js#L239

As a result, one can simply create an event named '<script>alert("hello world")</script>' and have a persistent cross-site scripting attack. This could lead to leaking of private data, and potential hijacking of the mediawiki account.

However, this extension uses Calendario 1.0.0. Upstream doesn't appear to have this issue at first glance; it's at version 3.2.0. Perhaps if you upgrade the library, you can avoid this issue.
https://github.com/codrops/Calendario

The extension otherwise looks secure to me.

Event Timeline

labster created this task.Apr 24 2016, 10:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 24 2016, 10:31 PM

That was me informing the authors. With the same message as above. Felipe Schenone replied back to me with this message on 30 March:

Thanks a lot Brent, I'll definitely take care of this issue.

3 weeks later, not taken care of yet.

Bawolff assigned this task to Sophivorus.
Bawolff added subscribers: Sophivorus, Bawolff.

Assigning this bug to @lfschenone as current extension maintainer.


I was asked on my talk page to report the bug here, sorry if this is the wrong place:

Its fine to report security bugs about third party extensions here. However, given its not an extension WMF uses or maintains, we (We = WMF security people; This bug tracker is generally used by lots of groups, and obviously anyone can go fix issues, albeit that's less likely for the secret security bugs.) will mostly just track the status of the bug, and try to ensure that the current maintainers are aware of the situation and that they are taking care of it. If the current maintainers need help, we're of course be happy to offer pointers or advice, but generally we (WMF) won't be fixing things for arbitrary non-wikimedia used extensions.

I work with Miraheze, a free and nonprofit wiki farm. I was recently asked to do a security evaluation of the extension Extension:MsCalendar.

Its really nice to see non-wmf wikifarms doing security evaluations and helping to ensure that the MediaWiki extension ecosystem is secure :)

csteipp triaged this task as Normal priority.Apr 26 2016, 9:29 PM

We're nearing 2 months since I first reported the vulnerability to the authors. Is there any WMF guidance as to how long before I can publicly disclose the vulnerability?

Keep in mind that this is not an extension used on any WMF site.

@lfschenone: Any updates?

Hi Aklapper, I tried to fix this some weeks ago, but I found that the current version of Calendario is quite different from the one used in the extension. Several things need to be changed, but there isn't much documentation on Calendario so it isn't as easy as I hoped when I promised to take care. I'll do another try this week and report back, but if I'm not successful I may give up, as this isn't a priority to me. Cheers,

In T133511#2315953, @lfschenone wrote:

Hi Aklapper, I tried to fix this some weeks ago, but I found that the current version of Calendario is quite different from the one used in the extension. Several things need to be changed, but there isn't much documentation on Calendario so it isn't as easy as I hoped when I promised to take care. I'll do another try this week and report back, but if I'm not successful I may give up, as this isn't a priority to me. Cheers,

Hi. Pleaee understand that if you are unable to fix it soon/dont have time/etc, we will probably have to mark the extension with {{XSS alert}}

I just suggested updating the extension because I thought it would be easiest. If you want, you just just do some HTML filtering in the original extension -- a good place to start would be here:

https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FMsCalendar/master/js%2Fjquery.calendario.js#L239

In T133511#2318411, @lfschenone wrote:

Good call. I submitted a patch, see https://gerrit.wikimedia.org/r/#/c/290232

Who to review / merge these eight JS lines?

Bawolff added a comment.EditedJun 12 2016, 12:17 AM
In T133511#2318411, @lfschenone wrote:

Good call. I submitted a patch, see https://gerrit.wikimedia.org/r/#/c/290232

Who to review / merge these eight JS lines?

My bad, that should be me. For non-WMF deployed extensions though where its maintained by basically a single person, one does not necessarily need to do code review. For future reference, if you want to get code review for a fix to a security issue, but don't want to make it public, you can also attach the patch to the bug.

I also made 2 changes:

I also backported these changes.

I also bumped the version number to 2.3 on master/REL1_27 and 2.0-1 on REL1_26, REL1_25 to make sure that its easy for people to know if they have an up to date version.

@labster I think this bug can be considered fixed now.

@lfschenone It might be good to announce the security fix. Could you maybe send an email to mediawiki-l (I guess that's the most appropriate place) announcing that users should upgrade to either 2.0-1 or 2.3.

revi added a comment.Jun 14 2016, 2:43 PM

Since this vulnerability seems to be resolved, can we close the bug and make this bug public?

matmarex changed the visibility from "Custom Policy" to "Public (No Login Required)".
matmarex changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptJun 14 2016, 2:53 PM
Bawolff closed this task as Resolved.Jun 14 2016, 4:27 PM