Page MenuHomePhabricator
Create Task
Maniphest T171045

XSS in SocialProfile's UserBoard
Closed, ResolvedPublic
Actions

Description

While investigating T166997 I registered an account called Foo" onmouseover="alert('XSS')" bar=" on my Labs test wiki (currently running MW 1.28 w/ latest master SP) and posted a message on my main account's (Jack Phoenix) user board via the board shown on User:Jack Phoenix -- the message was posted but the alert was also displayed.

cc @lcawte @SamanthaNguyen

Details

SubjectRepoBranchLines +/-
[SECURITY] Fix XSS in UserBoard on social profile pages and CSRF in API modules which do write actionsmediawiki/extensions/SocialProfilemaster+97 -82
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Jul 19 2017, 11:58 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 19 2017, 11:58 AM
Aklapper added a project: SocialProfile.Jul 19 2017, 12:54 PM

+SocialProfile

Restricted Application added a project: Social-Tools. · View Herald TranscriptJul 19 2017, 12:54 PM
ashley added a comment.Jul 19 2017, 2:42 PM

Proposed and tested fix, CR welcome:

diff --git a/UserBoard/UserBoardClass.php b/UserBoard/UserBoardClass.php
index 3fa9367..cfd6175 100644
--- a/UserBoard/UserBoardClass.php
+++ b/UserBoard/UserBoardClass.php
@@ -407,16 +407,17 @@ class UserBoard {
 				# $message_text = preg_replace_callback( "/(<a[^>]*>)(.*?)(<\/a>)/i", 'cut_link_text', $message['message_text'] );
 
 				$sender = htmlspecialchars( $user->getFullURL() );
+				$senderTitle = htmlspecialchars( $message['user_name_from'] );
 				$output .= "<div class=\"user-board-message\">
 					<div class=\"user-board-message-from\">
-					<a href=\"{$sender}\" title=\"{$message['user_name_from']}\">{$message['user_name_from']}</a> {$message_type_label}
+					<a href=\"{$sender}\" title=\"{$senderTitle}\">{$message['user_name_from']}</a> {$message_type_label}
 					</div>
 					<div class=\"user-board-message-time\">" .
 						wfMessage( 'userboard_posted_ago', $this->getTimeAgo( $message['timestamp'] ) )->parse() .
 					"</div>
 					<div class=\"user-board-message-content\">
 						<div class=\"user-board-message-image\">
-							<a href=\"{$sender}\" title=\"{$message['user_name_from']}\">{$avatar->getAvatarURL()}</a>
+							<a href=\"{$sender}\" title=\"{$senderTitle}\">{$avatar->getAvatarURL()}</a>
 						</div>
 						<div class=\"user-board-message-body\">
 							{$message_text}
ashley added a comment.Jul 19 2017, 3:08 PM
In T171045#3452626, @ashley wrote:

Proposed and tested fix, CR welcome:

So this indeed fixes the issue this ticket is about (XSS in social profile pages)...except the same issue is also present on the Special:UserBoard special page, and this patch does not fix that, because for whatever incomprehensible reason the special page duplicates UserBoard::displayMessages(). At a glance there doesn't seem to be much difference between them, so I'm wondering if we could improve the UserBoard class method and kill the unwanted code duplication while also fixing this security issue; if not, we can just slap the htmlspecialchars() calls onto the special page code and call it a day.

Reedy moved this task from Backlog / Other to External (Non-WMF) Issues on the acl*security board.Jul 19 2017, 5:04 PM
dpatrick added a project: Vuln-XSS.Jul 19 2017, 5:12 PM
ashley closed this task as Resolved.Jul 25 2017, 2:32 AM
ashley claimed this task.

Fixed by gerrit changeset #367632.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 25 2017, 2:51 AM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL