XSS in SearchHighlighter::highlightText() [requires non-default config]
Closed, ResolvedPublic

Description

CVE-2017-0365

SearchHighlighter::removeWiki() uses a regex to remove html from snippets. The regex - /<\/?[^>]+>/ assumes that html is well-formed. As a result when using SearchHighlighter::highlightText() as the highlighting method, this can result in an XSS. (Note it is not the default highlighting method. Additionally it is not in use on Wikimedia)

Steps to reproduce:

  1. Use default mysql search (i.e. Not cirrus)
  2. Set $wgAdvancedSearchHighlighting
  3. Create a page with the content <img onerror="alert(1)" src=x Cat Dog
  4. Search for Cat Dog
  5. This should cause the <img> tag in the search results, resulting in a pop-up box
Bawolff created this task.Sep 6 2016, 7:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 6 2016, 7:37 PM
Bawolff added a subscriber: dcausse.
Restricted Application added projects: Discovery, Discovery-Search. · View Herald TranscriptSep 6 2016, 7:51 PM
dpatrick triaged this task as High priority.
dpatrick assigned this task to Bawolff.

Discovery has not been prioritising reviewing this because it does not affect the Wikimedia cluster. @EBernhardson said that @Bawolff should feel free to merge this patch if he thinks it fixes it. Does that satisfy those involved? :-)

We don't think there's any outstanding work for the Search Team here, so I'm removing Discovery-Search.

Discovery has not been prioritising reviewing this because it does not affect the Wikimedia cluster. @EBernhardson said that @Bawolff should feel free to merge this patch if he thinks it fixes it. Does that satisfy those involved? :-)

Sorry, I didn't see your comment. To clarify, this is primarily waiting on us having our next security release (Since this isn't used by Wikimedia, no need to really deploy to cluster)

Bawolff merged a task: Restricted Task.Jan 16 2017, 11:42 PM
Bawolff added a subscriber: MarkAHershberger.

Sorry, I didn't see your comment. To clarify, this is primarily waiting on us having our next security release (Since this isn't used by Wikimedia, no need to really deploy to cluster)

No problem. Understood. Thanks!

Rebased /backported versions of patch:




Umm, the previous 1.23 patch was the wrong file. Fixed version below:

Reedy closed this task as Resolved.Mar 30 2017, 6:00 PM
Reedy added a subscriber: Reedy.

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:57 PM

Change 346840 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;

https://gerrit.wikimedia.org/r/346840

Change 346859 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;

https://gerrit.wikimedia.org/r/346859

Change 346849 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: XSS in search if $wgAdvancedSearchHighlighting = true;

https://gerrit.wikimedia.org/r/346849

Bawolff updated the task description. (Show Details)Apr 30 2018, 1:12 PM