Page MenuHomePhabricator

XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124)
Closed, ResolvedPublic

Description

After T229541 was reported and resolved, I checked MobileFrontend for more instances of Sanitizer::stripAllTags() and found another one in includes/specials/SpecialMobileWatchlist.php and confirmed it also renders an XSS.

Steps to reproduce:

  1. Create a test page or edit any wiki page
  2. Enter some JavaScript within the edit summary field, e.g. <script>alert('xss')</script>
  3. Add this page to your watchlist
  4. Visit the mobile version of your watchlist feed, e.g. https://en.m.wikipedia.org/w/index.php?title=Special:Watchlist&watchlistview=feed&filter=all

n.b. there are a few more calls to Sanitizer::stripAllTags within other extensions and it's probably worth auditing these. I think we're also hoping to catch more issues like this by setting Sanitizer::stripAllTags' @return-taint to tainted for phan-taint-check.

Event Timeline

sbassett created this task.Aug 15 2019, 8:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2019, 8:32 PM
sbassett triaged this task as Unbreak Now! priority.Aug 15 2019, 8:34 PM

Proposed patch, same mitigation as T229541:

sbassett updated the task description. (Show Details)Aug 16 2019, 2:02 PM

Patch tested locally, worked fine. Deployed patch to wmf/1.34.0-wmf.17 and tested. I'll request another CVE for this one. Once I have the id, I'll make this task public and backport to master and supported release branches in gerrit.

sbassett lowered the priority of this task from Unbreak Now! to High.Aug 16 2019, 7:51 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Wed, Aug 21, 9:30 PM

Change 531565 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531565

Change 531566 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531566

Change 531567 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531567

Change 531568 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531568

Change 531565 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531565

Change 531568 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531568

Change 531566 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531566

Change 531567 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531567

sbassett closed this task as Resolved.Thu, Aug 22, 2:18 PM
sbassett claimed this task.
sbassett removed a project: Patch-For-Review.

Backports complete in gerrit, resolving task for now.

sbassett renamed this task from XSS in edit summary for ex:MobileFrontend Special:Watchlist to XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).Tue, Sep 3, 6:05 PM