Page MenuHomePhabricator

Reflected XSS in GlobalGroupPermissions
Closed, ResolvedPublic

Description

Reflected XSS is possible on Special:GlobalGroupPermissions through the wpGroup parameter if the user does not have permission to edit groups and if they do not have editinterface.

Steps to reproduce:

  1. Either log out or login as a user without editinterface and globalgrouppermissions
  2. Navigate to the following URL in Firefox (to ease verification): https://www.mediawiki.org/wiki/Special:GlobalGroupPermissions?wpGroup=%3Cscript%3Ealert%28document.domain%29%3C/script%3E
  3. You should see the script is executed for the "Name of group", "Localised name of group", and "Localised name of group members" fields

Event Timeline

Grunny created this task.May 10 2016, 11:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 10 2016, 11:36 AM

Here's a quick patch to fix the issue:

Thanks @Grunny! I'll get that deployed as soon as our normal deploy window is finished.

Deployed

15:52 csteipp: deployed patch for T134863

I'll take a look through the Global Group code later today to see if anything else looks suspicious.

@hoo / @Legoktm, FYI, in case you see any strange behavior.

csteipp triaged this task as High priority.May 10 2016, 9:17 PM

I believe we can close this, now, correct?

@dpatrick looks like the PoC https://www.mediawiki.org/wiki/Special:GlobalGroupPermissions?wpGroup=%3Cscript%3Ealert%28document.domain%29%3C/script%3E works again, did the patch get reverted?

I know the patch for this is included in https://gerrit.wikimedia.org/r/#/c/319055/ but that hasn't been merged yet, and it looks like the quick patch isn't live anymore. So, this is now covered by T134931 so it's whether we close this now in favour of T134931 or wait until it's all merged and this XSS vulnerability is deployed to production.

@dpatrick Looks like https://gerrit.wikimedia.org/r/#/c/319055/ was merged in February and is now live, so I think this can be closed and made public once it's announced as part of the fixes released in T134863?

@dpatrick: Could you reply to the last comment please?

@dpatrick looks like the PoC https://www.mediawiki.org/wiki/Special:GlobalGroupPermissions?wpGroup=%3Cscript%3Ealert%28document.domain%29%3C/script%3E works again, did the patch get reverted?
I know the patch for this is included in https://gerrit.wikimedia.org/r/#/c/319055/ but that hasn't been merged yet, and it looks like the quick patch isn't live anymore. So, this is now covered by T134931 so it's whether we close this now in favour of T134931 or wait until it's all merged and this XSS vulnerability is deployed to production.

Whoops. That was not good. Also we probably should not have hidden it in a "low severity issue" commit, as this is not a low severity issue. Sorry for our poor response on this issue.

Hmm, also the patch should be backported, since its an xss

So this is definitely long merged now, so this could be public. Normally upon making an issue like this public we'd send a mailing list announcement, although this is now 5 months out of date.

Maybe we should include it to the announcement for the last bit of T134931 which is not yet merged (but I plan to merge next monday).

Leaving this bug open for now, until formally announced, and the fix is backported.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 19 2017, 4:37 AM

Change 366195 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@REL1_28] SECURITY XSS in Special:GlobalGroupPermissions

https://gerrit.wikimedia.org/r/366195

Change 366196 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@REL1_27] SECURITY XSS in Special:GlobalGroupPermissions

https://gerrit.wikimedia.org/r/366196

Change 366196 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_27] SECURITY XSS in Special:GlobalGroupPermissions

https://gerrit.wikimedia.org/r/366196

Change 366195 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@REL1_28] SECURITY XSS in Special:GlobalGroupPermissions

https://gerrit.wikimedia.org/r/366195

Bawolff closed this task as Resolved.Jul 19 2017, 5:19 AM
Bawolff claimed this task.

Everything merged and publicly announced.

@Grunny Thank you for your patience in regards to this bug, I know our handling of it was not as good as it could have been.

hashar reopened this task as Open.Jul 19 2017, 8:38 AM
hashar added a subscriber: hashar.

The CentralAuth patch for SECURITY XSS in Special:GlobalGroupPermissions has NOT been cherry picked to REL1_29.

List of patches: https://gerrit.wikimedia.org/r/#/q/fadb367ad16a228cc

The CentralAuth patch for SECURITY XSS in Special:GlobalGroupPermissions has NOT been cherry picked to REL1_29.
List of patches: https://gerrit.wikimedia.org/r/#/q/fadb367ad16a228cc

https://gerrit.wikimedia.org/r/#/c/319055/ predates the branchpoint.

hashar closed this task as Resolved.Jul 20 2017, 9:06 PM

@Bawolff sorry I failed to notice the fix made it to master age ago and effectively made it to REL1_29 when we branched. Thanks :-}

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 6:58 PM