Page MenuHomePhabricator
Create Task
Maniphest T175900

XSS in central notice due to lack of escaping in LoadBanner error handling
Closed, ResolvedPublic4 Estimated Story Points
Actions

Assigned To
None
Authored By
Bawolff
Sep 14 2017, 9:33 AM
Tags
Referenced Files
F9524211: T175900.patch
Sep 14 2017, 9:48 AM
Subscribers
Aklapper
AndyRussG
Bawolff
DStrine
Ejegg

Description

Example:

https://en.wikipedia.org/w/index.php?title=Prism_International&banner=);alert(%27XSS%20on%20%27%2Bdocument.domain);void%20(&force=1&campaign=uggr%20wle%202017%20awards

Basically if set a campaign that exists but is expired, then the banner parameter is reflected back without escaping.

Making this a subtask of T171987 since its more serious than the stuff on that bug, as you can do this without being an admin.

Details

SubjectRepoBranchLines +/-
SECURITY: Fix XSS in Special:BannerLoader error handling.mediawiki/extensions/CentralNoticeREL1_30+1 -1
SECURITY: Fix XSS in Special:BannerLoader error handling.mediawiki/extensions/CentralNoticeREL1_29+1 -1
SECURITY: Fix XSS in Special:BannerLoader error handling.mediawiki/extensions/CentralNoticemaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Sep 14 2017, 9:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2017, 9:33 AM
Bawolff added projects: Vuln-XSS, MediaWiki-extensions-CentralNotice.Sep 14 2017, 9:34 AM
Bawolff added a parent task: T171987: CentralNotice: Sanitize data for adding a campaign, changing campaign settings, and displaying info about campaigns.
Bawolff added subscribers: DStrine, AndyRussG.
Bawolff updated the task description. (Show Details)Sep 14 2017, 9:38 AM
Bawolff added a project: Security-Extensions.
Bawolff triaged this task as High priority.Sep 14 2017, 9:48 AM
Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.
Bawolff added a project: Patch-For-Review.

Proposed patch:

T175900.patch944 BDownload

Bawolff moved this task from Patch pending review to Pending deployment / release on the acl*security board.Sep 18 2017, 9:59 PM
[21:57]	bawolff	!log deployed patch T175900

We should probably release/publisize this at the same time as related T171987

Bawolff mentioned this in T171987: CentralNotice: Sanitize data for adding a campaign, changing campaign settings, and displaying info about campaigns.Sep 24 2017, 3:29 AM
Ejegg added projects: Fundraising Sprint Cottage Cheese isn't Made of Cottages, Fundraising-Backlog.Feb 9 2018, 9:30 PM
Ejegg moved this task from Backlog to Review on the Fundraising Sprint Cottage Cheese isn't Made of Cottages board.Feb 9 2018, 9:33 PM
DStrine moved this task from Triage to Completed in Q3 2017-18 on the Fundraising-Backlog board.Feb 12 2018, 5:01 PM
DStrine added a project: Fundraising Sprint Dinosaur Cookies co-existed with Gingerbread People.Feb 13 2018, 9:26 PM
Ejegg moved this task from Backlog to Review on the Fundraising Sprint Dinosaur Cookies co-existed with Gingerbread People board.Feb 13 2018, 10:53 PM
AndyRussG added a comment.Feb 16 2018, 6:09 PM

Great, thanks so much! Quite a terrifying vulnerability... Patch looks great, locally smoke tested and verified that it blocks the attack :)

AndyRussG moved this task from Review to Pending Deployment on the Fundraising Sprint Dinosaur Cookies co-existed with Gingerbread People board.Feb 27 2018, 8:36 PM
DStrine added a project: Fundraising Sprint Elevators were never intended to go down.Feb 28 2018, 4:33 PM
AndyRussG moved this task from Backlog to Pending Deployment on the Fundraising Sprint Elevators were never intended to go down board.Feb 28 2018, 4:42 PM
Ejegg moved this task from Pending Deployment to Done on the Fundraising Sprint Elevators were never intended to go down board.Mar 7 2018, 10:34 PM
Ejegg moved this task from Done to Pending Deployment on the Fundraising Sprint Elevators were never intended to go down board.
Ejegg subscribed.Mar 8 2018, 9:00 PM

Introduced in eca170c5919dd78b5be281218460e671c066067d

Fix should be backported to REL1_29 and REL1_30

Ejegg added a comment.Mar 8 2018, 9:09 PM

OK, same patch works for all versions, no backporting needed.

Ejegg moved this task from Pending Deployment to Done on the Fundraising Sprint Elevators were never intended to go down board.Mar 12 2018, 10:12 PM
Ejegg changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 12 2018, 10:15 PM
DStrine added a project: Fundraising Sprint Fhabricator is spelled with an "F".Mar 13 2018, 8:28 PM
Ejegg moved this task from Backlog to Done on the Fundraising Sprint Fhabricator is spelled with an "F" board.Mar 13 2018, 8:49 PM
Ejegg closed this task as Resolved.Mar 14 2018, 9:01 PM
DStrine set the point value for this task to 4.Jun 4 2019, 3:55 AM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:30 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL