Page MenuHomePhabricator

XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping
Closed, ResolvedPublic

Description

Unclear how exploitable this actually is.

Basic issue, in "includes/MWException.php" line 112, the internalerror-fatal-exception uses ->text() instead of ->escaped(). Furthermore, one of the parameters (the url) is semi-user controlled.

  • Set $wgShowExceptionDetails = false; (the default)
  • Make a page that somehow triggers a MWException
  • append &uselang=qqx to the url so all parameters are shown
  • append &foo=<script>alert(1)</script>
  • Maybe you get an xss. This will depend on user-agent. Firefox, chrome and safari (in my limitted testing) seems to always percent encode < and > in the HTTP request. curl on the other hand does not. I have no idea if there exists generally used browsers which are vulnerable.

I guess we should treat this as an actual xss just in case?

Event Timeline

Bawolff created this task.Oct 18 2017, 5:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 18 2017, 5:15 AM

Missed a case, new patch

dpatrick triaged this task as Normal priority.Oct 18 2017, 5:19 PM

Patch LGTM, +2. Relatedly, I think it's confusing that MWException::msg() returns a non-escaped string instead of a Message object.

Just as an aside, rfc3986 doesn't list "<" or ">" as reserved characters, so arguably curl's behaviour is correct.

Reedy renamed this task from XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping. to XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping.Nov 2 2017, 7:41 PM
Reedy added a subscriber: Reedy.Nov 2 2017, 8:00 PM

REL1_27 doesn't have MWExceptionRenderer, so needs a bit more work

Reedy added a comment.Nov 2 2017, 10:32 PM

REL1_27 doesn't have MWExceptionRenderer, so needs a bit more work

Or, even, less work. Change doesn't need applying to that file if it doesn't exist.

Reedy added a comment.Nov 2 2017, 10:41 PM

Fixed RELEASE-NOTES too

Reedy assigned this task to Bawolff.Nov 2 2017, 10:42 PM
Reedy added a comment.Nov 2 2017, 11:57 PM

rebased for patches merged to branch...

I deployed the patch on wmf wikis.

[22:34] bawolff !log Deploy patch for T178451

This comment was removed by Reedy.
Reedy added a comment.Nov 11 2017, 1:02 AM

Reedy closed this task as Resolved.Nov 13 2017, 4:18 PM

Closes as resolved (due to patches existing, and backports having been made), for ease of tracking in parent bugs

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:02 AM

Change 391417 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@REL1_30] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391417

Change 391417 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391417

Change 391433 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/core@fundraising/REL1_27] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391433

Change 391433 merged by Ejegg:
[mediawiki/core@fundraising/REL1_27] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391433

Change 391447 had a related patch set uploaded (by Reedy; owner: Brian Wolff):
[mediawiki/core@master] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391447

Change 391447 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391447

Change 391730 had a related patch set uploaded (by Chad; owner: Brian Wolff):
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391730

Change 391730 merged by jenkins-bot:
[mediawiki/core@wmf/1.31.0-wmf.8] SECURITY: Escape internal error message

https://gerrit.wikimedia.org/r/391730