Page MenuHomePhabricator
Create Task
Maniphest T230576

XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124)
Closed, ResolvedPublic
Actions

Description

After T229541 was reported and resolved, I checked MobileFrontend for more instances of Sanitizer::stripAllTags() and found another one in includes/specials/SpecialMobileWatchlist.php and confirmed it also renders an XSS.

Steps to reproduce:

  1. Create a test page or edit any wiki page
  2. Enter some JavaScript within the edit summary field, e.g. <script>alert('xss')</script>
  3. Add this page to your watchlist
  4. Visit the mobile version of your watchlist feed, e.g. https://en.m.wikipedia.org/w/index.php?title=Special:Watchlist&watchlistview=feed&filter=all

n.b. there are a few more calls to Sanitizer::stripAllTags within other extensions and it's probably worth auditing these. I think we're also hoping to catch more issues like this by setting Sanitizer::stripAllTags' @return-taint to tainted for phan-taint-check.

Details

SubjectRepoBranchLines +/-
SECURITY: escape edit summaries in mobile watchlist pagemediawiki/extensions/MobileFrontendREL1_31+1 -1
SECURITY: escape edit summaries in mobile watchlist pagemediawiki/extensions/MobileFrontendREL1_32+1 -1
SECURITY: escape edit summaries in mobile watchlist pagemediawiki/extensions/MobileFrontendREL1_33+1 -1
SECURITY: escape edit summaries in mobile watchlist pagemediawiki/extensions/MobileFrontendmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

sbassett created this task.Aug 15 2019, 8:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2019, 8:32 PM
MarcoAurelio added projects: MobileFrontend, Vuln-XSS.Aug 15 2019, 8:33 PM
sbassett triaged this task as Unbreak Now! priority.Aug 15 2019, 8:34 PM
sbassett added subscribers: MarcoAurelio, MaxSem, Reedy, tstarling.
sbassett added a comment.Aug 15 2019, 8:45 PM

Proposed patch, same mitigation as T229541:

T230576.patch1 KBDownload

sbassett added a project: Patch-For-Review.Aug 15 2019, 8:46 PM
sbassett updated the task description. (Show Details)Aug 16 2019, 2:02 PM
sbassett added a comment.Aug 16 2019, 7:50 PM

Patch tested locally, worked fine. Deployed patch to wmf/1.34.0-wmf.17 and tested. I'll request another CVE for this one. Once I have the id, I'll make this task public and backport to master and supported release branches in gerrit.

sbassett lowered the priority of this task from Unbreak Now! to High.Aug 16 2019, 7:51 PM
sbassett removed a project: Patch-For-Review.Aug 16 2019, 7:59 PM
sbassett added a comment.Aug 16 2019, 9:42 PM

Update: CVE-2019-15124.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 21 2019, 9:30 PM
gerritbot added a comment.Aug 21 2019, 9:30 PM

Change 531565 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531565

gerritbot added a project: Patch-For-Review.Aug 21 2019, 9:30 PM

Change 531566 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531566

gerritbot added a comment.Aug 21 2019, 9:31 PM

Change 531567 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531567

gerritbot added a comment.Aug 21 2019, 9:32 PM

Change 531568 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531568

gerritbot added a comment.Aug 21 2019, 10:10 PM

Change 531565 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531565

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.20; 2019-08-27).Aug 21 2019, 11:00 PM
gerritbot added a comment.Aug 22 2019, 2:09 PM

Change 531568 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531568

gerritbot added a comment.Aug 22 2019, 2:10 PM

Change 531566 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531566

gerritbot added a comment.Aug 22 2019, 2:10 PM

Change 531567 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in mobile watchlist page

https://gerrit.wikimedia.org/r/531567

sbassett closed this task as Resolved.Aug 22 2019, 2:18 PM
sbassett claimed this task.
sbassett removed a project: Patch-For-Review.

Backports complete in gerrit, resolving task for now.

sbassett renamed this task from XSS in edit summary for ex:MobileFrontend Special:Watchlist to XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).Sep 3 2019, 6:05 PM
sbassett mentioned this in T232113: Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.4/1.32.4/1.33.1).Sep 5 2019, 3:38 PM
chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
sbassett updated the task description. (Show Details)Mar 24 2020, 2:07 AM
Jdlrobson edited projects, added MobileFrontend (MobileFrontend Special Pages); removed MobileFrontend.Jan 20 2022, 1:22 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits