Page MenuHomePhabricator
Create Task
Maniphest T178451

XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping
Closed, ResolvedPublic
Actions

Assigned To
Bawolff
Authored By
Bawolff
Oct 18 2017, 5:15 AM
Tags
Referenced Files
F10721843: 0001-T178451-REL1_29.patch
Nov 11 2017, 1:02 AM
F10721842: 0001-T178451-REL1_28.patch
Nov 11 2017, 1:02 AM
F10720206: 0001-T178451-REL1_28.patch
Nov 10 2017, 10:20 PM
F10578667: 0001-T178451-REL1_27.patch
Nov 2 2017, 11:57 PM
F10577973: 0001-T178451-REL1_29.patch
Nov 2 2017, 10:41 PM
F10577974: 0001-T178451-REL1_27.patch
Nov 2 2017, 10:41 PM
F10577981: 0001-T178451-REL1_30.patch
Nov 2 2017, 10:41 PM
F10574835: 0001-T178451-REL1_30.patch
Nov 2 2017, 8:00 PM
View All 12 Files
Subscribers
Aklapper
Bawolff
gerritbot
Legoktm
MoritzMuehlenhoff
Reedy

Description

Unclear how exploitable this actually is.

Basic issue, in "includes/MWException.php" line 112, the internalerror-fatal-exception uses ->text() instead of ->escaped(). Furthermore, one of the parameters (the url) is semi-user controlled.

  • Set $wgShowExceptionDetails = false; (the default)
  • Make a page that somehow triggers a MWException
  • append &uselang=qqx to the url so all parameters are shown
  • append &foo=<script>alert(1)</script>
  • Maybe you get an xss. This will depend on user-agent. Firefox, chrome and safari (in my limitted testing) seems to always percent encode < and > in the HTTP request. curl on the other hand does not. I have no idea if there exists generally used browsers which are vulnerable.

I guess we should treat this as an actual xss just in case?

Details

SubjectRepoBranchLines +/-
SECURITY: Escape internal error messagemediawiki/corewmf/1.31.0-wmf.8+18 -15
SECURITY: Escape internal error messagemediawiki/coremaster+18 -15
SECURITY: Escape internal error messagemediawiki/corefundraising/REL1_27+11 -8
SECURITY: Escape internal error messagemediawiki/coreREL1_27+11 -7
SECURITY: Escape internal error messagemediawiki/coreREL1_30+20 -14
SECURITY: Escape internal error messagemediawiki/coreREL1_29+11 -7
SECURITY: Escape internal error messagemediawiki/coreREL1_28+11 -7
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Oct 18 2017, 5:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2017, 5:15 AM
Bawolff added a project: Vuln-XSS.Oct 18 2017, 5:17 AM
Bawolff added a project: Patch-For-Review.Oct 18 2017, 5:31 AM

T178451.patch1 KBDownload

Bawolff added a comment.Oct 18 2017, 6:12 AM

Missed a case, new patch

T178451 - v22 KBDownload

Bawolff added a parent task: T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Oct 18 2017, 5:12 PM
dpatrick triaged this task as Medium priority.Oct 18 2017, 5:19 PM
Legoktm subscribed.Oct 18 2017, 5:56 PM

Patch LGTM, +2. Relatedly, I think it's confusing that MWException::msg() returns a non-escaped string instead of a Message object.

Bawolff added a comment.Oct 18 2017, 5:59 PM

Just as an aside, rfc3986 doesn't list "<" or ">" as reserved characters, so arguably curl's behaviour is correct.

Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Oct 18 2017, 5:59 PM
Reedy renamed this task from XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping. to XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping.Nov 2 2017, 7:41 PM
Reedy mentioned this in T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.
Reedy subscribed.Nov 2 2017, 8:00 PM

0001-T178451-REL1_29.patch3 KBDownload

0001-T178451-REL1_30.patch2 KBDownload

0001-T178451-master.patch2 KBDownload

REL1_27 doesn't have MWExceptionRenderer, so needs a bit more work

Reedy added a comment.Nov 2 2017, 10:32 PM
In T178451#3730709, @Reedy wrote:

REL1_27 doesn't have MWExceptionRenderer, so needs a bit more work

Or, even, less work. Change doesn't need applying to that file if it doesn't exist.

Reedy added a comment.Nov 2 2017, 10:41 PM

Fixed RELEASE-NOTES too

0001-T178451-REL1_27.patch2 KBDownload

0001-T178451-REL1_29.patch1 KBDownload

0001-T178451-REL1_30.patch3 KBDownload

Reedy assigned this task to Bawolff.Nov 2 2017, 10:42 PM
Reedy mentioned this in T179609: Obtain CVE's for 1.27.4/1.29.2 security releases.Nov 2 2017, 10:49 PM
Reedy added a comment.Nov 2 2017, 11:57 PM

0001-T178451-REL1_27.patch2 KBDownload
rebased for patches merged to branch...

Bawolff added a comment.Nov 6 2017, 10:35 PM

I deployed the patch on wmf wikis.

[22:34] bawolff !log Deploy patch for T178451

Bawolff moved this task from Patch pending deployment to Pending deployment / release on the acl*security board.Nov 8 2017, 5:46 PM
Reedy added a comment.Nov 10 2017, 10:20 PM
This comment was removed by Reedy.
Reedy added a comment.Nov 11 2017, 1:02 AM

0001-T178451-REL1_29.patch2 KBDownload

0001-T178451-REL1_28.patch2 KBDownload

MoritzMuehlenhoff subscribed.Nov 13 2017, 8:28 AM

This is CVE-2017-8808

Reedy closed this task as Resolved.Nov 13 2017, 4:18 PM

Closes as resolved (due to patches existing, and backports having been made), for ease of tracking in parent bugs

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:02 AM
gerritbot subscribed.Nov 15 2017, 12:03 AM

Change 391417 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_30] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391417

gerritbot added a comment.Nov 15 2017, 12:03 AM

Change 391417 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391417

gerritbot added a comment.Nov 15 2017, 12:24 AM

Change 391433 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/core@fundraising/REL1_27] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391433

gerritbot added a comment.Nov 15 2017, 12:56 AM

Change 391433 merged by Ejegg:
[mediawiki/core@fundraising/REL1_27] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391433

gerritbot added a comment.Nov 15 2017, 12:59 AM

Change 391447 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@master] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391447

ReleaseTaggerBot added projects: MW-1.30-release-notes, MW-1.29-release-notes.Nov 15 2017, 1:01 AM
gerritbot added a comment.Nov 15 2017, 1:18 AM

Change 391447 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391447

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 15 2017, 2:00 AM
gerritbot added a comment.Nov 15 2017, 11:58 PM

Change 391730 had a related patch set uploaded (by Chad; owner: Brian Wolff):
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391730

gerritbot added a comment.Nov 16 2017, 12:09 AM

Change 391730 merged by jenkins-bot:
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391730

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)); removed MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 16 2017, 1:00 AM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:32 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL