It is possible to place malicious code on any wiki-page in any project of the Wikimedia Foundation (Wikipedia, Commons and others). It consists of a HTML element with an inline CSS style, which contains CSS variables. By abuse of the variable evaluation mechanism it is possible to cause a crash of all modern browsers.
A working sample of the code is attached to this ticket (see the file attack_code_example.txt).
I’m an administrator and CU on the Russian Wikipedia and have found this sample in the list of recent edits today! After it crashed my browser a couple of times I was able to retrieve an inactive sample by deleting the affected page and viewing the source code during undeleting.
High to critical, as it will crash browsers of page visitors, especially if injected into a widely-used template. In case the code manages to reach the main page via inclusions – it will greatly affect all users and visitors of the project. Such malicious edits could be quite difficult to undo, as the diff-view will also cause a crash. And the most worrying thing about the issue - I caught the code "in the wild"...
How to reproduce:
- Copy the sample code from the attached text file (attack_code_example.txt) and paste it to any page (article, discussion page, user page, new page, existing page, etc.)
- Press “Show preview”. The browser will crash immediately.
- If you publish the page instead of previewing (DON’T DO IT), the embedded code will crash the browser of every visitor of the infected page.
- Browsers affected: Chrome 70.0, Firefox 63
- Browsers not affected: IE11.
- Sites affected: All WMF sites - tested in RU Wiki, EN Wiki, DE Wiki and on Commons. Also, numerous external wiki-projects, based on MediaWiki engine.
- Immediate: New abuse filter rule - already did it on RU Wiki
- Long term: Deactivate interpretation of CSS variables (the same approach as with JS snippets on general pages).