XSS in SearchHighlighter::highlightText() [requires non-default config]
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Bawolff
	Sep 6 2016, 7:37 PM

Description

CVE-2017-0365

SearchHighlighter::removeWiki() uses a regex to remove html from snippets. The regex - /<\/?[^>]+>/ assumes that html is well-formed. As a result when using SearchHighlighter::highlightText() as the highlighting method, this can result in an XSS. (Note it is not the default highlighting method. Additionally it is not in use on Wikimedia)

Steps to reproduce:

Use default mysql search (i.e. Not cirrus)
Set $wgAdvancedSearchHighlighting
Create a page with the content <img onerror="alert(1)" src=x Cat Dog
Search for Cat Dog
This should cause the <img> tag in the search results, resulting in a pop-up box

Details

Subject	Repo	Branch	Lines +/-
SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;	mediawiki/core	REL1_27	+10 -0
SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;	mediawiki/core	REL1_28	+10 -0
SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;	mediawiki/core	master	+10 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	• demon	T161996 Release MediaWiki 1.28.1/1.27.2/1.23.16
Resolved	Reedy	T140591 MediaWiki 1.28.1/1.27.2/1.23.16 security release
Resolved	Bawolff	T144845 XSS in SearchHighlighter::highlightText() [requires non-default config]

Event Timeline

Bawolff created this task.Sep 6 2016, 7:37 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 6 2016, 7:37 PM

Bawolff added a project: MediaWiki-Search.Sep 6 2016, 7:51 PM

Bawolff added a subscriber: dcausse.

Restricted Application added projects: Discovery-ARCHIVED, Discovery-Search. · View Herald TranscriptSep 6 2016, 7:51 PM

• dpatrick assigned this task to Bawolff.Sep 13 2016, 8:47 PM

• dpatrick triaged this task as High priority.

• dpatrick added a project: Vuln-XSS.

T144845.patch1 KBDownload

Discovery has not been prioritising reviewing this because it does not affect the Wikimedia cluster. @EBernhardson said that @Bawolff should feel free to merge this patch if he thinks it fixes it. Does that satisfy those involved? :-)

We don't think there's any outstanding work for the Search Team here, so I'm removing Discovery-Search.

In T144845#2733070, @Deskana wrote:

Discovery has not been prioritising reviewing this because it does not affect the Wikimedia cluster. @EBernhardson said that @Bawolff should feel free to merge this patch if he thinks it fixes it. Does that satisfy those involved? :-)

Sorry, I didn't see your comment. To clarify, this is primarily waiting on us having our next security release (Since this isn't used by Wikimedia, no need to really deploy to cluster)

Bawolff added subscribers: Kizule, Ciencia_Al_Poder.Jan 16 2017, 10:42 PM

Bawolff merged a task: Restricted Task.Jan 16 2017, 11:42 PM

Bawolff added a subscriber: MarkAHershberger.

In T144845#2943841, @Bawolff wrote:

Sorry, I didn't see your comment. To clarify, this is primarily waiting on us having our next security release (Since this isn't used by Wikimedia, no need to really deploy to cluster)

No problem. Understood. Thanks!

Kizule unsubscribed.Jan 17 2017, 8:42 PM

• dpatrick mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Jan 31 2017, 9:58 PM

• dpatrick added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Jan 31 2017, 10:06 PM

Rebased /backported versions of patch:

T144845-REL1_23.patch2 KBDownload

T144845-REL1_27.patch1 KBDownload

T144845-REL1_28.patch1 KBDownload

T144845-master.patch1 KBDownload

Umm, the previous 1.23 patch was the wrong file. Fixed version below:

T144845-REL1_23.patch1 KBDownload

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:57 PM

Change 346840 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;

https://gerrit.wikimedia.org/r/346840

Change 346859 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;

https://gerrit.wikimedia.org/r/346859

ReleaseTaggerBot added projects: MW-1.28-release-notes, MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 6 2017, 10:00 PM

Change 346849 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;

https://gerrit.wikimedia.org/r/346849

ReleaseTaggerBot added a project: MW-1.27-release-notes.Apr 6 2017, 11:00 PM

Bawolff updated the task description. (Show Details)Apr 30 2018, 1:12 PM

sbassett moved this task from Patch pending review to Done on the acl*security board.Sep 26 2019, 2:43 PM

• chasemp added a project: Security.Feb 10 2020, 10:55 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM

	F5529398: T144845-REL1_23.patch
	Feb 7 2017, 10:33 AM

	F5462764: T144845-master.patch
	Feb 3 2017, 8:50 AM

	F4525816: T144845.patch
	Sep 26 2016, 10:51 AM

XSS in SearchHighlighter::highlightText() [requires non-default config]Closed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

XSS in SearchHighlighter::highlightText() [requires non-default config]
Closed, ResolvedPublic
Actions

Related Objects
Search...