Page MenuHomePhabricator
Create Task
Maniphest T137264

XSS in Parser::replaceInternalLinks2 during replacement of percent encoding in unclosed internal links
Closed, ResolvedPublic
Actions

Description

Put

[[#%3Cscript%3Ealert(1)%3C/script%3E|

On a line by itself, and you get an XSS.

It appears that this was fixed in the main code branch in r13302 by @GWicke, but the e1_img code patch was missed. The e1_img code path was added in r5693, so this issue basically effects all versions of MW ever.

@Legoktm helped discover this vulnrability

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: XSS in unclosed internal linksmediawiki/coreREL1_27+10 -1
SECURITY: XSS in unclosed internal linksmediawiki/coremaster+10 -1
SECURITY: XSS in unclosed internal linksmediawiki/coreREL1_26+10 -1
SECURITY: XSS in unclosed internal linksmediawiki/coreREL1_23+10 -1
SECURITY: XSS in unclosed internal linksmediawiki/corefundraising/REL1_27+10 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Jun 8 2016, 2:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 8 2016, 2:22 AM
Bawolff added projects: Patch-For-Review, Vuln-XSS, MediaWiki-Parser.Jun 8 2016, 2:42 AM

0001-SECURITY-XSS-in-unclosed-internal-links.patch1 KBDownload

matmarex subscribed.Jun 8 2016, 7:50 PM

For reference:

dpatrick triaged this task as High priority.Jun 14 2016, 8:24 PM
dpatrick added a parent task: T133070: MediaWiki 1.27.1 security release.
dpatrick mentioned this in T133070: MediaWiki 1.27.1 security release.Jun 14 2016, 8:59 PM
dpatrick subscribed.Jun 15 2016, 1:41 AM

This has been tested and is ready for deployment.

dpatrick closed this task as Resolved.Jun 15 2016, 9:18 PM
dpatrick claimed this task.

This patch has been deployed:

21:16 dapatrick: Deployed patch for T137264 to wmf.5 and wmf.6
GWicke added a comment.Jun 15 2016, 9:26 PM

@Legoktm @Bawolff @dpatrick: Thanks for catching & addressing this one!

dpatrick added a subscriber: Staypos.Aug 22 2016, 11:31 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:23 AM
demon changed Security from Software security bug to None.
gerritbot subscribed.Aug 23 2016, 1:56 AM

Change 306129 had a related patch set uploaded (by Ejegg):
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306129

gerritbot added a comment.Aug 23 2016, 2:41 AM

Change 306129 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306129

MZMcBride subscribed.Aug 23 2016, 2:41 AM
gerritbot added a comment.Aug 23 2016, 3:00 AM

Change 306120 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306120

gerritbot added a comment.Aug 23 2016, 3:26 AM

Change 306111 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306111

gerritbot added a comment.Aug 23 2016, 3:53 AM

Change 306092 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306092

ReleaseTaggerBot added projects: MW-1.28-release (WMF-deploy-2016-08-23_(1.28.0-wmf.16)), MW-1.28-release-notes, MW-1.26-release, MW-1.23-release.Aug 23 2016, 4:00 AM
gerritbot added a comment.Aug 23 2016, 4:09 AM

Change 306101 merged by jenkins-bot:
SECURITY: XSS in unclosed internal links

https://gerrit.wikimedia.org/r/306101

Joergi123 mentioned this in T143635: Regression: MediaWiki 1.26.4 is using incompatible array syntax.Aug 23 2016, 4:21 AM
ReleaseTaggerBot added a project: MW-1.27-release-notes.Aug 23 2016, 5:00 AM
Kghbln mentioned this in T151805: Security issues publicly announced, fixed but not released?.Nov 28 2016, 8:43 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Bawolff added a comment.Mar 10 2026, 7:38 AM

Point of interest, it appears that this vulnerability was at least attempted to be used in the wild. The script mentioned in T419143 appears to attempt to use it. Obviously in Wikimedia's case it has long since been patched, however it appears that that script may have been copied and originally targeted at other wikis. Its hard to know when the script was originally written, but its probable the original target was using an outdated version of MediaWiki at the time and was vulnerable.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits