Page MenuHomePhabricator
Create Task
Maniphest T164800

A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS
Closed, ResolvedPublic
Actions

Description

@Skizzerz noticed that the "Load multiple files" variant of this popular site JS snippet: https://www.mediawiki.org/wiki/Snippets/Load_JS_and_CSS_by_URL didn't validate the 'use' parameter and allowed for XSS attacks with an URL like http://example.com/wiki/Foo?use=MediaWiki:Whatever%26title%3DUser%3AEvil%2Fevil.js (assuming you have registered an account as user 'Evil' and created the page 'User:Evil/evil.js'). The snippet is fixed now: https://www.mediawiki.org/w/index.php?title=Snippets/Load_JS_and_CSS_by_URL&diff=2463924&oldid=2447017 but who knows where it was copied.

Note, the normal variant is not vulnerable (although it is heart-attack-inducing). From a quick glance, our major sites (Wikipedia, Commons, Meta) use the safe normal variant in their MediaWiki:Common.js pages, but we should mwgrep or something to check them all. And maybe we should put out a notice somewhere for third parties?

Event Timeline

matmarex created this task.May 8 2017, 9:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2017, 9:29 PM
dpatrick assigned this task to Bawolff.May 11 2017, 5:49 PM
dpatrick triaged this task as High priority.
dpatrick added a project: Vuln-XSS.
Bawolff added a comment.May 16 2017, 10:40 AM

Changes made:

I believe this covers all of Wikimedia's usages. Thus I am closing this bug and making it public.

bnwikibooks uses it, but is safe since the importScript wrapper they use does url encoding - https://bn.wikibooks.org/wiki/%E0%A6%AE%E0%A6%BF%E0%A6%A1%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE%E0%A6%89%E0%A6%87%E0%A6%95%E0%A6%BF:Common.js/use.js

I also changed the snippet on mw.org to use encodeURIComponent for good measure. Its technically not needed if you filter out those bad character (afaict), but it feels a lot safer to use it, and its good coding practice.

Bawolff closed this task as Resolved.May 16 2017, 10:40 AM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
He7d3r added a subscriber: He7d3r.May 17 2017, 7:38 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL